[Dnssec-deployment] Please upgrade validators to at least BIND-9.7.2 before .com is signed
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Wed Feb 2 11:03:14 EST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Duane,
On 02/02/2011 04:21 PM, Wessels, Duane wrote:
> Following the deployment of DNSSEC in the .net zone, Verisign became aware
> of issues experienced by users of certain BIND versions when used as a
> recursive name server and configured for validation.
>
> A more detailed description of this issue and our analysis is available
> at http://www.verisignlabs.com/documents/BIND-DS-Servfail.pdf.
That is a very nice report, Duane. I misinterpreted step 3, and I
thought you meant that DNSKEYs were introduced in .net. But the step
seems unnecessary for the cause of the validation failure of
unsigned.net (but you need to do it to check signed.net, of course),
e.g. the addition you do later.
- From reading it closely unbound should not be impacted. The separation
of validation and iteration, bladibla, design choices and software
diversity. That is, unless you have done tests with unbound too?
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAk1JgEIACgkQkDLqNwOhpPgJaACfYFhNINMAOIjTOVyrgSVI8iSe
ELEAnRuFyLnMYgmaOxi9/z4BUbNnEEXd
=GdHI
-----END PGP SIGNATURE-----
More information about the Dnssec-deployment
mailing list