[lacnog] Fwd: [dns-operations] Please upgrade validators to at least BIND-9.7.2 before .com is signed

Carlos Martinez-Cagnazzo carlosm3011 en gmail.com
Jue Feb 3 10:25:10 BRST 2011

De interes para quienes operan dns recursivos y esten pensando en
comenzar a validar.



---------- Forwarded message ----------
From: Wessels, Duane <dwessels en verisign.com>
Date: Wed, Feb 2, 2011 at 1:21 PM
Subject: [dns-operations] Please upgrade validators to at least
BIND-9.7.2 before .com is signed
To: DNS Operations List <dns-operations en mail.dns-oarc.net>

Following the deployment of DNSSEC in the .net zone, Verisign became aware
of issues experienced by users of certain BIND versions when used as a
recursive name server and configured for validation.

A user of a BIND 9.7.0-P2, configured for validation with the root trust
anchor, experienced SERVFAIL responses for all unsigned .net domains after
the .net DS record was published in the root zone and after .net NS records
expired from his name server's cache.

We were able to reproduce the issue in our lab and confirm this behavior.
We believe it is present in BIND versions 9.6.2 through 9.7.0, but not in
9.7.1b1 and later versions. When configured for validation, stub resolvers
querying a recursive name server running the aforementioned versions have
a 50% chance of experiencing the issue upon introduction of a new DS record.
Upon restart of the named process, resolution and validation both work as
expected, without issues.

We recommend anyone using BIND 9.6.2 through 9.7.0 for DNSSEC validation
upgrade to 9.7.2 or later prior to 31 March 2011 (when the DS record for
.com is planned to be published in the root zone). If you are unable to
upgrade, we recommend monitoring the root zone on 31 March for the presence
of the .com DS record and restarting recursive name servers performing
validation as soon as possible after this DS record appears.

A more detailed description of this issue and our analysis is available
at http://www.verisignlabs.com/documents/BIND-DS-Servfail.pdf.
dns-operations mailing list
dns-operations en lists.dns-oarc.net

Carlos M. Martinez-Cagnazzo

Más información sobre la lista de distribución LACNOG