Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1
Doug Barton
dougb at dougbarton.us
Tue Dec 15 04:05:40 UTC 2009
While this reminder is timely and helpful, more welcome would be the
news that BIND 9.6.2 is going to have actual support for
RSASHA{256|512}. My cursory reading of the 9.6.2b1 code does not seem
to indicate that it does, although I would be happy to be proven wrong.
I personally don't think it's reasonable to expect everyone who wants
to validate with BIND to upgrade to 9.7.x for a variety of reasons
that I'd be happy to elucidate if they are not obvious.
Doug
--
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
Mark Andrews wrote:
> With upcoming deployment of RSASHA256 to sign the root zone, ISC
> would like to remind BIND 9.6.0 and BIND 9.6.0-P1 users that use
> DLV, but have not yet upgraded, that they will need to upgrade to
> a more recent version of BIND 9.6.x as BIND 9.6.0 and BIND 9.6.0-P1
> will not correctly handle RSASHA256 and RSASHA512 signed zones in
> DLV.
>
> 2579. [bug] DNSSEC lookaside validation failed to handle unknown
> algorithms. [RT #19479]
>
> This defect was addressed in BIND 9.6.1.
>
> ISC has arranged for two test zones to be made available which are
> signed using the new algorithms which are listed in dlv.isc.org.
>
> You can test whether you can successfully resolve these zones using the
> following queries.
>
> dig rsasha256.island.dlvtest.dns-oarc.net soa
> dig rsasha512.island.dlvtest.dns-oarc.net soa
>
More information about the bind-users
mailing list