[Dnssec-deployment] Please upgrade validators to at least BIND-9.7.2 before .com is signed
each at isc.org
Wed Feb 2 12:01:17 EST 2011
> We were able to reproduce the issue in our lab and confirm this behavior.
> We believe it is present in BIND versions 9.6.2 through 9.7.0, but not in
> 9.7.1b1 and later versions.
Please note that BIND releases don't progress in a linear fashion; a
release of BIND 9.6 may occur after a release of BIND 9.7, and include
the same bug fixes.
I believe that to be the case here. I think you've found a relative of
the bug that came up last April when .ARPA was signed. I blogged about
that one at:
The bug was fixed in all BIND releases since that time: 9.4-ESV-R3, 9.5.3,
9.6.3, 9.6-ESV-R2, 9.7.1, and the upcoming 9.8.0. (Only the last four
are really relevant to the current problem, though; 9.5 and earlier lack
SHA256 algorithm support, and therefore they can't validate the root zone
If you're running a version older than any of those, please do upgrade.
It's not necessary to jump all the way to 9.7.2 if you prefer to stay with
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the Dnssec-deployment