bind 9.6.2 dnssec validation bug

Doug Barton dougb at FreeBSD.org
Mon Feb 7 06:16:24 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/06/2011 20:58, Jeremy Chadwick wrote:
| On Sun, Feb 06, 2011 at 05:05:08PM -0800, Russell Jackson wrote:
|> I haven't seen any mention of this anywhere. Are there any plans to
|> update BIND in the 8.1/8.2 branches?
|>
|>
https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record
|
| This was discussed vehemently in December 2010:
|
|
http://lists.freebsd.org/pipermail/freebsd-stable/2010-December/thread.html#60640

Different issue. :)

| RELENG_8 (8.2-PRERELEASE as of the time of this writing) now has the
| official 9.6.3 as of a commit done by Doug Barton only a few hours ago:
|
| http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/
| http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/README

The 9.6.3 update was in ports the same day it was released, and is now
in HEAD and RELENG_8. It's not relevant to RELENG_7, which is the issue
that Jeremy posted above. I've sent the information about this problem
to the release engineers, whether or not it makes it into 8.2-RELEASE is
completely in their hands. However, the material that I sent them about
this problem boiled down to the following:

1. This IS a significant bug for those who have DNSSEC validation
enabled, however
2. Only a minority of our users have it enabled, and the named.conf in
the base does not.
3. The bug can be worked around by restarting the affected name server
_after_ it sees the new DS record, however
4. The only way to detect this problem is to wait for it to break.

There are also the additional long-standing points that the latest
releases of BIND are always in the ports, and anyone doing "serious"
DNSSEC at this stage will want to be running 9.7.x (or the upcoming
9.8.x) because it supports RFC 5011 trust anchor rollover, among other
nice DNSSEC features.

| As for whether or not this will be backported to the RELENG_8_1 tag, I
| would say "probably", but Doug would be authoritative on that.

Back-porting it that far is definitely not being considered at the
moment, and is unlikely to happen.


hth,

Doug

- -- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (FreeBSD)

iQEcBAEBCAAGBQJNT440AAoJEFzGhvEaGryED28IAJfW8yLH1YngzaKCMvopeZXq
HQ5DstQpg9X9vSsqGABh/2A1rtFQsyUOIEK9Af/Rsc1X9w9MNgkEDDNfrJdk0JRK
NiJuemPgZGaunhXcXZTyUOuHJOAtJJds/Tcabw2nZv/bagM9KGApOCSuBzbWpam/
90pOttSKoMs5gxHn75BcSjxRiu4mYiEo7wgkdxF8OwEedHSI6y6SQoMXMgmYkjXS
mpOR8AOtrHxN17an7yn26o6Sh3gUW5BSbsIHW921yiDv+lf0N8cT5+T+Livbso/k
tciZMZbMExWt02gAzotOjdMX5npkDz4/dMT9L6R6rrPecsDnvdxWE+2gf73a0Lc=
=n/On
-----END PGP SIGNATURE-----

More information about the freebsd-stable mailing list