Please upgrade validators to at least BIND-9.7.2 before .com is signed
Chris Thompson
cet1 at cam.ac.uk
Thu Feb 3 15:13:23 UTC 2011
On Feb 2 2011, Evan Hunt wrote:
>I believe that to be the case here. I think you've found a relative of
>the bug that came up last April when .ARPA was signed. I blogged about
>that one at:
>
>http://www.isc.org/community/blog/201004/dnssec-transitions-and-signing-arpa
>
>The bug was fixed in all BIND releases since that time: 9.4-ESV-R3, 9.5.3,
>9.6.3, 9.6-ESV-R2, 9.7.1, and the upcoming 9.8.0.
2890 appears in the CHANGES file all these. but I can't find an entry for
the consequential bug fix 2904 in the 9.6-ESV series.
9.6.3 is still only at 9.6.3rc1, as has been pointed out elsewhere.
>(Only the last four are really relevant to the current problem, though;
>9.5 and earlier lack SHA256 algorithm support, and therefore they can't
>validate the root zone anyway.)
2890 does affect validating via dlv.isc.org as well, though, with glitches
when zones appear there for the first time.
>If you're running a version older than any of those, please do upgrade.
>It's not necessary to jump all the way to 9.7.2 if you prefer to stay with
>9.6, however.
If anyone does get caught out on 31 March, validating using an older
version, then "rndc flushname com" should cure that particular case.
(Well, it worked for us for other TLDs, back when we were still using
9.6.2 last year.)
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list