Please upgrade validators to at least BIND-9.7.2 before .com is signed
Evan Hunt
each at isc.org
Wed Feb 2 17:03:01 UTC 2011
> This message, while operational in nature, is probably of interest to
> the subscribed on bind-users, so I'm forwarding it here.
I just posted this response there:
> We were able to reproduce the issue in our lab and confirm this behavior.
> We believe it is present in BIND versions 9.6.2 through 9.7.0, but not in
> 9.7.1b1 and later versions.
Please note that BIND releases don't progress in a linear fashion; a
release of BIND 9.6 may occur after a release of BIND 9.7, and include
the same bug fixes.
I believe that to be the case here. I think you've found a relative of
the bug that came up last April when .ARPA was signed. I blogged about
that one at:
http://www.isc.org/community/blog/201004/dnssec-transitions-and-signing-arpa
The bug was fixed in all BIND releases since that time: 9.4-ESV-R3, 9.5.3,
9.6.3, 9.6-ESV-R2, 9.7.1, and the upcoming 9.8.0. (Only the last four
are really relevant to the current problem, though; 9.5 and earlier lack
SHA256 algorithm support, and therefore they can't validate the root zone
anyway.)
If you're running a version older than any of those, please do upgrade.
It's not necessary to jump all the way to 9.7.2 if you prefer to stay with
9.6, however.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list