[Dnssec-deployment] Please upgrade validators to at least BIND-9.7.2 before .com is signed
wouter at nlnetlabs.nl
Wed Feb 2 11:03:14 EST 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 02/02/2011 04:21 PM, Wessels, Duane wrote:
> Following the deployment of DNSSEC in the .net zone, Verisign became aware
> of issues experienced by users of certain BIND versions when used as a
> recursive name server and configured for validation.
> A more detailed description of this issue and our analysis is available
> at http://www.verisignlabs.com/documents/BIND-DS-Servfail.pdf.
That is a very nice report, Duane. I misinterpreted step 3, and I
thought you meant that DNSKEYs were introduced in .net. But the step
seems unnecessary for the cause of the validation failure of
unsigned.net (but you need to do it to check signed.net, of course),
e.g. the addition you do later.
- From reading it closely unbound should not be impacted. The separation
of validation and iteration, bladibla, design choices and software
diversity. That is, unless you have done tests with unbound too?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Dnssec-deployment