[dns-operations] BIND validation problem with some DE zones [was: Operational Note -- DNSSEC for DE]

Larissa Shapiro larissas at isc.org
Fri May 27 11:47:03 UTC 2011

Yes, we did. And, I don't think the changes file went out in the
advisory notices last night, (apologies for that, we were... running
hard) but we did.


On 5/27/11 4:31 AM, Chris Thompson wrote:
> Last night I write
> [...]
>> I have a BIND patch from ISC against bug report 24631 which apparently
>> fixes the problem (it works for child.dnssec-bug.csi.cam.ac.uk anyway).
>> I will refrain from posting it here pending permission from ISC. (Not
>> that we could expect many BIND instances to get fixed before DENIC
>> unobscure the "de" DNSKEYs, anyway.)
> It turns out that ISC have slipped this into the new versions
> 9.6-ESV-R4-P1, 9.7.3-P1 and 9.8.0-P2 together with the ... umm,
> more serious bug fix! It is there in the CHANGES file as
> 3120.   [bug]     Named could fail to validate zones listed in a DLV
>                  that validated insecure without using DLV and had
>                  DS records in the parent zone. [RT #24631]

Larissa Shapiro
Internet Systems Consortium Product Manager
Technology Leadership for the Common Good
+1 650 423 1335

More information about the dns-operations mailing list