<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hola Amigos,<div><br></div><div>Este es un mensaje para aquellas personas que usan en sus servidores recursivos Fedora + BIND y tienen la validación de DNSSEC encendida. Resulta que BIND viene con un paquete llamado "dnssec-conf" que instala claves de confianza ("trust anchors") que están desactualizadas. Esto ha afectado zonas que servidores de LACNIC y otros RIRs son autoritativos. Aquí les envío el informe que armó el personal de RIPE y si se encuentran en las condiciones detalladas, sería bueno que revisaran vuestras configuraciones. Nosotros hemos contactado a algunos ISPs que hemos detectado en nuestros servidores que estaban siendo afectados.</div><div><br></div><div>Cordiales saludos,</div><div>Roque Gagliano</div><div><br></div><div><br></div><div>Dear Friends,</div><div><br></div><div>This message is for those people that use recursive servers based on Fedora + BIND and have DNSSEC validation enabled. BIND ships a packet called "dnssec-conf" that includes outdated trust-anchors. This problem has affected zonas where LACNIC's and other RIRs servers are authoritative. I am attaching the report from RIPE's staff. We have already contacted ISPs that we have detected as affected by analyzing requests to our servers.</div><div><br></div><div><br></div><div>Best Regards,</div><div>Roque Gagliano</div><div><br><div><br><div>Begin forwarded message:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1);"><b>From: </b></span><span style="font-family:'Helvetica'; font-size:medium;">Anand Buddhdev <<a href="mailto:anandb@ripe.net">anandb@ripe.net</a>><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1);"><b>Date: </b></span><span style="font-family:'Helvetica'; font-size:medium;">February 5, 2010 2:23:51 PM GMT+01:00<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1);"><b>To: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><a href="mailto:dns-wg@ripe.net">dns-wg@ripe.net</a><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1);"><b>Subject: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><b>[dns-wg] Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories</b><br></span></div><br><div>[Apologies for duplicates]<br><br>Dear Colleagues,<br><br>We have discovered that recent versions of the Fedora Linux distribution<br>are shipping with a package called "dnssec-conf", which contains the<br>RIPE NCC's DNSSEC trust anchors. This package is installed by default as<br>a dependency of BIND, and it configures BIND to do DNSSEC validation.<br><br>Unfortunately, the current version of this package (1.21) is outdated<br>and contains old trust anchors.<br><br>On 16 December 2009, we had a key roll-over event, where we removed the<br>old Key-Signing Keys (KSKs). From that time, BIND resolvers running on<br>Fedora Linux distributions could not validate any signed responses in<br>the RIPE NCC's reverse zones.<br><br>If you are running Fedora Linux with the standard BIND package, please<br>edit the file "/etc/pki/dnssec-keys//named.dnssec.keys", and comment out<br>all the lines in it containing the directory path "production/reverse".<br>Then restart BIND.<br><br>This will stop BIND from using the outdated trust anchors. If you do<br>want to use the RIPE NCC's trust anchors to validate our signed zones,<br>we recommend that you fetch the latest trust anchor file from our<br>website and reconfigure BIND to use it instead of the ones distributed<br>in the dnssec-conf package:<br><br><a href="https://www.ripe.net/projects/disi/keys/index.html">https://www.ripe.net/projects/disi/keys/index.html</a><br><br>Please remember to check frequently for updates to our trust anchor<br>file, as we introduce new Key-Signing Keys (KSKs) every 6 months.<br><br>Regards,<br><br>Anand Buddhdev,<br>DNS Services Manager, RIPE NCC<br></div></blockquote></div><br></div></body></html>