[Dnssec-deployment] Operational Advisory for DNSSEC users regarding BIND 9.6-ESV-R3 and Previous

Larissa Shapiro larissas at isc.org
Mon Mar 28 07:41:28 EDT 2011 

Colleagues,

ISC is issuing the following operational advisory in response to
concerns around BIND 9.6-ESV's readiness for the insertion of .com's
DNSSEC information in the root zone.  Please circulate as appropriate.

Larissa

Operational Advisory for BIND 9.6-ESV-R3 and Previous

This advisory is for operators currently deploying DNSSEC validating
resolvers.  It is urgent due to the insertion of .com's DNSSEC
information in the root zone scheduled for March 31st (Thursday) for
those running BIND 9.6-ESV-R3.

There is a defect in 9.6-ESV-R3 which affects DNSSEC validating
resolvers, which can cause queries for .com names to fail with
validation errors, DNSSEC records for the .com zone are initially
inserted into the root zone.

9.6.3, 9.7.3, and 9.8.0 are not affected by this defect.  9.6.2 and
earlier versions are affected.

We are repackaging 9.6.3 as 9.6-ESV-R4.  Other than the version number,
there will be no functional changes between these versions.  We plan to
release this version on Tuesday, March 29th.

Today, our suggestion is this:

(1)  If you cannot wait to upgrade to 9.6-ESV-R4, you may install 9.6.3.
 We will treat 9.6.3 as an ESV for support purposes until 9.6-ESV-R5 is
available, which is planned to occur within two months.

(2)  If you can wait to upgrade, please upgrade to 9.6-ESV-R4 before the
.com DNSSEC records are inserted into the root zone.

(3)  If you cannot upgrade your server software, you may want to disable
validation before the .com DNSSEC records are inserted into the root and
re-enable it again a few days after.

(4) If your server is not updated and becomes affected, "rndc flushname
com" should correct the problem, as would restarting the server.

-- Larissa Shapiro Internet Systems Consortium Product Manager
Technology Leadership for the Common Good +1 650 423 1335 www.isc.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20110328/e93ec1b3/attachment.html

More information about the Dnssec-deployment mailing list