<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#ffffff" text="#000000">
<div class="moz-text-plain" wrap="true" style="font-family:
-moz-fixed; font-size: 12px;" lang="x-western">
<pre wrap="">Colleagues,
ISC is issuing the following operational advisory in response to this
concern. Please circulate as appropriate.
Larissa
</pre>
<div align="center"><br>
Operational Advisory for BIND 9.6-ESV-R3 and previous<br>
</div>
<pre wrap="">
This advisory is for operators currently deploying DNSSEC validating
resolvers. It is urgent due to the insertion of .com's DNSSEC
information in the root zone scheduled for March 31st (Thursday) for
those running BIND 9.6-ESV-R3.
There is a defect in 9.6-ESV-R3 which affects DNSSEC validating
resolvers, which can cause queries for .com names to fail with
validation errors, DNSSEC records for the .com zone are initially
inserted into the root zone.
9.6.3, 9.7.3, and 9.8.0 are not affected by this defect. 9.6.2 and
earlier versions are affected.
We are repackaging 9.6.3 as 9.6-ESV-R4. Other than the version number,
there will be no functional changes between these versions. We plan to
release this version on Tuesday, March 29th.
Today, our suggestion is this:
(1) If you cannot wait to upgrade to 9.6-ESV-R4, you may install 9.6.3.
We will treat 9.6.3 as an ESV for support purposes until 9.6-ESV-R5 is
available, which is planned to occur within two months.
(2) If you can wait to upgrade, please upgrade to 9.6-ESV-R4 before the
.com DNSSEC records are inserted into the root zone.
(3) If you cannot upgrade your server software, you may want to disable
validation before the .com DNSSEC records are inserted into the root and
re-enable it again a few days after.
(4) If your server is not updated and becomes affected, "rndc flushname
com" should correct the problem, as would restarting the server.
</pre>
<blockquote type="cite" style="color: rgb(0, 0, 0);">
<pre wrap=""><span class="moz-txt-citetags">> </span>-------- Original Message --------
<span class="moz-txt-citetags">> </span>Subject: [dns-operations] BIND and the upcoming .COM DNSSEC change
<span class="moz-txt-citetags">> </span>Date: Sun, 27 Mar 2011 20:45:07 +0200
<span class="moz-txt-citetags">> </span>From: Florian Weimer <a class="moz-txt-link-rfc2396E" href="mailto:fw@deneb.enyo.de"><fw@deneb.enyo.de></a>
<span class="moz-txt-citetags">> </span>To: <a class="moz-txt-link-abbreviated" href="mailto:dns-operations@mail.dns-oarc.net">dns-operations@mail.dns-oarc.net</a>
<span class="moz-txt-citetags">></span>
<span class="moz-txt-citetags">> </span>It's not clear to me how buggy versions of BIND (9.6-ESV, in
<span class="moz-txt-citetags">> </span>particular) react to DNSSEC-related changes as described in:
<span class="moz-txt-citetags">></span>
<span class="moz-txt-citetags">> </span><a class="moz-txt-link-rfc2396E" href="http://www.verisignlabs.com/documents/BIND-DS-Servfail.pdf"><http://www.verisignlabs.com/documents/BIND-DS-Servfail.pdf></a>
<span class="moz-txt-citetags">></span>
<span class="moz-txt-citetags">> </span>Will a server restart be sufficient in all cases, even if the resolver
<span class="moz-txt-citetags">> </span>has enabled DLV?
<span class="moz-txt-citetags">></span>
<span class="moz-txt-citetags">> </span>I'm also a bit concerned that 9.6-ESV is effectively end-of-life.
<span class="moz-txt-citetags">> </span>(There's another fix for zone availability issues under DNSSEC which
<span class="moz-txt-citetags">> </span>hasn't been back-ported to it, either.) Have I missed a public
<span class="moz-txt-citetags">> </span>statement from ISC on this matter?
<span class="moz-txt-citetags">></span>
<span class="moz-txt-citetags">> </span>Background: I suppose Debian needs to issue an advisory, now without
<span class="moz-txt-citetags">> </span>the fix in code, and I want to get the facts straight.
<span class="moz-txt-citetags">> </span>_______________________________________________
<span class="moz-txt-citetags">> </span>dns-operations mailing list
<span class="moz-txt-citetags">> </span><a class="moz-txt-link-abbreviated" href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a>
<span class="moz-txt-citetags">> </span><a class="moz-txt-link-freetext" href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a>
</pre>
</blockquote>
<pre wrap=""><div class="moz-txt-sig">--
Larissa Shapiro
Internet Systems Consortium Product Manager
Technology Leadership for the Common Good
+1 650 423 1335
<a class="moz-txt-link-abbreviated" href="http://www.isc.org">www.isc.org</a></div></pre>
</div>
</body>
</html>