ISC's Response to Concerns Expressed Around Misconfigured Trust Anchors and Aggressive Validator Behavior

In response to concerns expressed to ISC both directly and within the article "Roll over and Die " published earlier this week, we at ISC would like to share with the community our plans to mitigate this issue.

ISC plans the following:

• Immediate development effort, with an update to all currently supported versions of BIND (9.4-ESV through and inclusive of 9.7.0) to be made public within 6 weeks, or sooner if our best efforts allow.
• Thorough analysis of this issue, including discussion within the IETF DNS working group and with other appropriate fora and DNS resolver implementors.
• Outreach to and dialogue with all package maintainers and OS vendors who distribute BIND on the implications of using outdated keys and suggested best practices for trust anchor maintenance.
• Urgent communication with and full disclosure to our forum members, support customers, users and partners regarding this issue.

A response to concerns that BIND 9.7 or BIND 9.6.2 should have been delayed because of this issue is in Michael Graff's blog entry posted on February 11th.

To be notified when the patched versions of BIND are released, please join our bind-announce@isc.org mailing list.

Any questions should go to Larissa Shapiro, BIND Product Manager. larissas@isc.org