From owner-freebsd-stable@FreeBSD.ORG Mon Feb 7 06:16:24 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B3F1106566C for ; Mon, 7 Feb 2011 06:16:24 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by mx1.freebsd.org (Postfix) with ESMTP id AA2C38FC0A for ; Mon, 7 Feb 2011 06:16:23 +0000 (UTC) Received: (qmail 19756 invoked by uid 399); 7 Feb 2011 06:16:21 -0000 Received: from localhost (HELO doug-optiplex.ka9q.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 7 Feb 2011 06:16:21 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4D4F8E34.7030904@FreeBSD.org> Date: Sun, 06 Feb 2011 22:16:20 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.13) Gecko/20110129 Thunderbird/3.1.7 MIME-Version: 1.0 To: Jeremy Chadwick References: <4D4F4544.3010606@csub.edu> <20110207045802.GB15568@icarus.home.lan> In-Reply-To: <20110207045802.GB15568@icarus.home.lan> X-Enigmail-Version: 1.1.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Russell Jackson , freebsd-stable@freebsd.org Subject: Re: bind 9.6.2 dnssec validation bug X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Feb 2011 06:16:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/06/2011 20:58, Jeremy Chadwick wrote: | On Sun, Feb 06, 2011 at 05:05:08PM -0800, Russell Jackson wrote: |> I haven't seen any mention of this anywhere. Are there any plans to |> update BIND in the 8.1/8.2 branches? |> |> https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record | | This was discussed vehemently in December 2010: | | http://lists.freebsd.org/pipermail/freebsd-stable/2010-December/thread.html#60640 Different issue. :) | RELENG_8 (8.2-PRERELEASE as of the time of this writing) now has the | official 9.6.3 as of a commit done by Doug Barton only a few hours ago: | | http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/ | http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/README The 9.6.3 update was in ports the same day it was released, and is now in HEAD and RELENG_8. It's not relevant to RELENG_7, which is the issue that Jeremy posted above. I've sent the information about this problem to the release engineers, whether or not it makes it into 8.2-RELEASE is completely in their hands. However, the material that I sent them about this problem boiled down to the following: 1. This IS a significant bug for those who have DNSSEC validation enabled, however 2. Only a minority of our users have it enabled, and the named.conf in the base does not. 3. The bug can be worked around by restarting the affected name server _after_ it sees the new DS record, however 4. The only way to detect this problem is to wait for it to break. There are also the additional long-standing points that the latest releases of BIND are always in the ports, and anyone doing "serious" DNSSEC at this stage will want to be running 9.7.x (or the upcoming 9.8.x) because it supports RFC 5011 trust anchor rollover, among other nice DNSSEC features. | As for whether or not this will be backported to the RELENG_8_1 tag, I | would say "probably", but Doug would be authoritative on that. Back-porting it that far is definitely not being considered at the moment, and is unlikely to happen. hth, Doug - -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) iQEcBAEBCAAGBQJNT440AAoJEFzGhvEaGryED28IAJfW8yLH1YngzaKCMvopeZXq HQ5DstQpg9X9vSsqGABh/2A1rtFQsyUOIEK9Af/Rsc1X9w9MNgkEDDNfrJdk0JRK NiJuemPgZGaunhXcXZTyUOuHJOAtJJds/Tcabw2nZv/bagM9KGApOCSuBzbWpam/ 90pOttSKoMs5gxHn75BcSjxRiu4mYiEo7wgkdxF8OwEedHSI6y6SQoMXMgmYkjXS mpOR8AOtrHxN17an7yn26o6Sh3gUW5BSbsIHW921yiDv+lf0N8cT5+T+Livbso/k tciZMZbMExWt02gAzotOjdMX5npkDz4/dMT9L6R6rrPecsDnvdxWE+2gf73a0Lc= =n/On -----END PGP SIGNATURE-----