Queries for NSEC3 hashed owner names
Mark Andrews
marka at isc.org
Fri Feb 5 06:16:32 UTC 2010
In message <19306.62546.632032.348290 at hadron.switch.ch>, Alexander Gall writes:
> On 04 Feb 2010 15:39:55 +0000, Chris Thompson <cet1 at cam.ac.uk> said:
>
> > On Feb 4 2010, Alexander Gall wrote:
> >> Of the 60 sources in my sample,
> >> 26 responded to version queries. All of them identified themselves as
> >> some version of BIND
> >>
> >> 5 "9.5.0-P2"
> >> 3 "9.4.2-P2.1"
> >> 3 "9.4.2-P2"
> >> 3 "9.4.2-P1"
> >> 3 "9.3.4-P1"
> >> 1 "9.5.1-P3"
> >> 1 "9.5.0b3"
> >> 1 "9.4.1-P1"
> >> 1 "9.4.1"
> >> 1 "9.3.5-P2"
> >> 1 "9.3.5-P1"
> >> 1 "9.3.4-P1.2"
> >> 1 "9.3.4-P1.1"
> >> 1 "9.3.4"
> >>
> >> All of those are NSEC3-agnostic. They should not do any DNSSEC
> >> processing for the ch zone, because they don't support algorithm #7.
>
> > Most of the above versions will not have this fix
>
> > 2579. [bug] DNSSEC lookaside validation failed to handle unknow
> n
> > algorithms. [RT #19479]
>
> > which could lead to all sorts of confusion if they are validating
> > via dlv.isc.org (say).
>
> Right, I forgot about that.
It's definitely reproducable with BIND 9.3.3 with DLV enabled. BIND
9.3.3 was when named shifted from using the private type for DLV
to a allocated type.
dig txt ch.
Perhaps SWITCH could filter these out and send messages to the whois
technical contacts in a attempt to get these servers upgraded in the
interests of a more secure and robust DNS?
BIND 9.5.1-P3 does not make the queries in question.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list