On Feb 2 2011, Tony Finch wrote:

>---------- Forwarded message ----------
>Date: Wed, 2 Feb 2011 10:21:13 -0500
>From: "Wessels, Duane" <[log in to unmask]>
>To: DNSSEC deployment <[log in to unmask]>
>Subject: [Dnssec-deployment] Please upgrade validators to at least
> BIND-9.7.2 before .com is signed

It's a pity that VeriSign didn't discuss this with ISC before putting
out the message (on many different mailing lists). There have been
attempts to correct some of the errors of fact it contains.

The problem is the one I referred to in passing in my posting

https://www.jiscmail.ac.uk/cgi-bin/webadmin?A2=ind1010&L=DNSSEC-DISCUSS&P=59

The fix is described in the CHANGES file as

2890.   [bug]           Handle the introduction of new trusted-keys and
                        DS, DLV RRsets better. [RT #21097]

and it is applied in these versions

  9.4-ESV-R3
  9.5.3b1    and later
  9.6-ESV-R2 and later
  9.6.3b1    and later
  9.7.1b1    and later
  9.8.0a1

(There is a consequential bug 2904, but that's fixed as well in
all non-beta releases.) 9.4 and 9.5 don't support RSASH256 and so
can't be used to validate doen from the root zone, but the bug
applies to zones appearing in dlv.isc.org as well as in a parent
zone.

Not that I would want to  discourage anyone from keeping up with BIND
releases, especially if doing DNSSEC validation, but VeriSign were
overdoing it a bit here.

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: [log in to unmask]    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.