[dns-operations] Looking for wildcard record served by a stable signed TLD nameserver

Mark Andrews marka at isc.org
Fri May 9 22:39:28 UTC 2014

In message <alpine.LFD.2.10.1405091133060.30192 at bofh.nohats.ca>, Paul Wouters writes:
> Hi,
> fedorahosted.org and fedorapeople.org use wildcards which fail often
> when people are chained to an older bind version with the "NOQNAME
> NSEC/NSEC3 proof extraction bug".
> (See https://bugzilla.redhat.com/show_bug.cgi?id=824219)
> For tools (like dnssec trigger) to detect this, we need a "stable"
> location of such a wildcard to add a probe test. Ideally within a TLD
> as dnssec-trigger prefers to use TLDs for stability - it would be bad
> if a test gave a false positive and reconfigures everyone's forwarding
> resolver differently.
> As this issue comes up with a new duplicate bug entry every few months,
> I'm looking at a friendly (DNSSEC signed) TLD who has or is willing to
> put in a wildcard at some very stable location so we can add this test
> to dnssec-trigger.
> Paul
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

What's needed here is for OS maintainers to actually "maintain"
their OS's by including maintainence releases of the software they
are shipping and not just cherry-pick security fixes back into older
releases.  There are bugs which don't rise to the level of requiring
a security advisary but are still critical bugs which need to fixed.

Do we have to abuse the security advisary process to get people to
pick up bugs fixes?

We don't go through the process of releasing maintenance releases
for the fun of it.  We do it because there are bugs which have caused
problems to someone somewhere in the world.  Fixing those bugs and
providing a maintenance release reduces everyones future bug reports.

Now if we were adding features with every release then I would
understand the reluctance to apply maintenance release but we
don't.  We even have extended support releases so that OS's
can have stable feature sets from us for many years.

We do feature releases to introduce new functionality.  We don't
expect OS maintainers to jump on these immediately and include them
in the OS.  We do expect them to look at them for the next major
OS release.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list