bind 9.6.2 dnssec validation bug
Russell Jackson
raj at csub.edu
Mon Feb 7 06:34:40 UTC 2011
On 02/06/2011 10:16 PM, Doug Barton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 02/06/2011 20:58, Jeremy Chadwick wrote:
> | On Sun, Feb 06, 2011 at 05:05:08PM -0800, Russell Jackson wrote:
> |> I haven't seen any mention of this anywhere. Are there any plans to
> |> update BIND in the 8.1/8.2 branches?
> |>
> |>
> https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record
> |
> | This was discussed vehemently in December 2010:
> |
> |
> http://lists.freebsd.org/pipermail/freebsd-stable/2010-December/thread.html#60640
>
> Different issue. :)
>
> | RELENG_8 (8.2-PRERELEASE as of the time of this writing) now has the
> | official 9.6.3 as of a commit done by Doug Barton only a few hours ago:
> |
> | http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/
> | http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/README
>
> The 9.6.3 update was in ports the same day it was released, and is now
> in HEAD and RELENG_8. It's not relevant to RELENG_7, which is the issue
> that Jeremy posted above. I've sent the information about this problem
> to the release engineers, whether or not it makes it into 8.2-RELEASE is
> completely in their hands. However, the material that I sent them about
> this problem boiled down to the following:
>
> 1. This IS a significant bug for those who have DNSSEC validation
> enabled, however
> 2. Only a minority of our users have it enabled, and the named.conf in
> the base does not.
> 3. The bug can be worked around by restarting the affected name server
> _after_ it sees the new DS record, however
> 4. The only way to detect this problem is to wait for it to break.
>
> There are also the additional long-standing points that the latest
> releases of BIND are always in the ports, and anyone doing "serious"
> DNSSEC at this stage will want to be running 9.7.x (or the upcoming
> 9.8.x) because it supports RFC 5011 trust anchor rollover, among other
> nice DNSSEC features.
>
> | As for whether or not this will be backported to the RELENG_8_1 tag, I
> | would say "probably", but Doug would be authoritative on that.
>
> Back-porting it that far is definitely not being considered at the
> moment, and is unlikely to happen.
>
Looks like I should just suck it up and start using the bind97 port.
Thanks.
--
Russell A. Jackson <raj at csub.edu>
Network Analyst
California State University, Bakersfield
More information about the freebsd-stable
mailing list