bind 9.6.2 dnssec validation bug

Doug Barton dougb at
Mon Feb 7 06:16:24 UTC 2011

Hash: SHA256

On 02/06/2011 20:58, Jeremy Chadwick wrote:
| On Sun, Feb 06, 2011 at 05:05:08PM -0800, Russell Jackson wrote:
|> I haven't seen any mention of this anywhere. Are there any plans to
|> update BIND in the 8.1/8.2 branches?
| This was discussed vehemently in December 2010:

Different issue. :)

| RELENG_8 (8.2-PRERELEASE as of the time of this writing) now has the
| official 9.6.3 as of a commit done by Doug Barton only a few hours ago:

The 9.6.3 update was in ports the same day it was released, and is now
in HEAD and RELENG_8. It's not relevant to RELENG_7, which is the issue
that Jeremy posted above. I've sent the information about this problem
to the release engineers, whether or not it makes it into 8.2-RELEASE is
completely in their hands. However, the material that I sent them about
this problem boiled down to the following:

1. This IS a significant bug for those who have DNSSEC validation
enabled, however
2. Only a minority of our users have it enabled, and the named.conf in
the base does not.
3. The bug can be worked around by restarting the affected name server
_after_ it sees the new DS record, however
4. The only way to detect this problem is to wait for it to break.

There are also the additional long-standing points that the latest
releases of BIND are always in the ports, and anyone doing "serious"
DNSSEC at this stage will want to be running 9.7.x (or the upcoming
9.8.x) because it supports RFC 5011 trust anchor rollover, among other
nice DNSSEC features.

| As for whether or not this will be backported to the RELENG_8_1 tag, I
| would say "probably", but Doug would be authoritative on that.

Back-porting it that far is definitely not being considered at the
moment, and is unlikely to happen.



- -- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)

Version: GnuPG v2.0.17 (FreeBSD)


More information about the freebsd-stable mailing list