On Feb 2 2011, Tony Finch wrote:
>---------- Forwarded message ----------
>Date: Wed, 2 Feb 2011 10:21:13 -0500
>From: "Wessels, Duane" <[log in to unmask]>
>To: DNSSEC deployment <[log in to unmask]>
>Subject: [Dnssec-deployment] Please upgrade validators to at least
> BIND-9.7.2 before .com is signed
It's a pity that VeriSign didn't discuss this with ISC before putting
out the message (on many different mailing lists). There have been
attempts to correct some of the errors of fact it contains.
The problem is the one I referred to in passing in my posting
https://www.jiscmail.ac.uk/cgi-bin/webadmin?A2=ind1010&L=DNSSEC-DISCUSS&P=59
The fix is described in the CHANGES file as
2890. [bug] Handle the introduction of new trusted-keys and
DS, DLV RRsets better. [RT #21097]
and it is applied in these versions
9.4-ESV-R3
9.5.3b1 and later
9.6-ESV-R2 and later
9.6.3b1 and later
9.7.1b1 and later
9.8.0a1
(There is a consequential bug 2904, but that's fixed as well in
all non-beta releases.) 9.4 and 9.5 don't support RSASH256 and so
can't be used to validate doen from the root zone, but the bug
applies to zones appearing in dlv.isc.org as well as in a parent
zone.
Not that I would want to discourage anyone from keeping up with BIND
releases, especially if doing DNSSEC validation, but VeriSign were
overdoing it a bit here.
--
Chris Thompson University of Cambridge Computing Service,
Email: [log in to unmask] New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
|