Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1
Mark Andrews
marka at isc.org
Tue Dec 15 03:40:35 UTC 2009
With upcoming deployment of RSASHA256 to sign the root zone, ISC
would like to remind BIND 9.6.0 and BIND 9.6.0-P1 users that use
DLV, but have not yet upgraded, that they will need to upgrade to
a more recent version of BIND 9.6.x as BIND 9.6.0 and BIND 9.6.0-P1
will not correctly handle RSASHA256 and RSASHA512 signed zones in
DLV.
2579. [bug] DNSSEC lookaside validation failed to handle unknown
algorithms. [RT #19479]
This defect was addressed in BIND 9.6.1.
ISC has arranged for two test zones to be made available which are
signed using the new algorithms which are listed in dlv.isc.org.
You can test whether you can successfully resolve these zones using the
following queries.
dig rsasha256.island.dlvtest.dns-oarc.net soa
dig rsasha512.island.dlvtest.dns-oarc.net soa
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark at isc.org
More information about the bind-users
mailing list