Verisign fix
Ian Northeast
ian at house-from-hell.demon.co.uk
Sat Sep 20 00:42:21 UTC 2003
Paul Vixie wrote:
>
> Andrew Gay <andrew at ssynth.co.uk> writes:
>
> > I see exactly the same thing with 9.2.2-P1. NS queries for real domains
> > give NXDOMAIN if the domain has glue records in the parent zone. Once
> > you cache the glue (by querying for something else) the query for NS
> > will work.
> >
> > Oddly, querying for 'Any' with an empty cache does return the missing
> > NS RRs.
> >
> > This might not break much, but it is not correct behaviour.
>
> it's a known problem in the current patch. it won't break anything other
> than diagnostic tools like the "dig" command and the humans who run it.
> but we have a fix and will release it shortly.
As a DNS/mail admin I consider the breaking of dig and the humans who
run it (e.g. me) to be very serious (I don't quite see how a bind bug
can break me, but ISWYM:). I spend a fair amount of time debugging other
peoples' broken DNS, mail and network configurations. The last thing I
need is having my local tools and services broken too.
I am not going to implement 9.2.2-P1, which I think was released too
hastily, understandably given the pressure for the fix. When the next
patch arrives I will evaluate it very carefully before I implement it.
Until then, the reject route for Verisign's server will have to suffice.
Regards, Ian
More information about the bind-users
mailing list