Date: Sun, 06 Feb 2011 22:34:36 -0800 From: Russell Jackson <raj@csub.edu> To: Doug Barton <dougb@FreeBSD.org> Cc: freebsd-stable@FreeBSD.org, Jeremy Chadwick <freebsd@jdc.parodius.com> Subject: Re: bind 9.6.2 dnssec validation bug Message-ID: <4D4F927C.7040103@csub.edu> In-Reply-To: <4D4F8E34.7030904@FreeBSD.org> References: <4D4F4544.3010606@csub.edu> <20110207045802.GB15568@icarus.home.lan> <4D4F8E34.7030904@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/06/2011 10:16 PM, Doug Barton wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 02/06/2011 20:58, Jeremy Chadwick wrote: > | On Sun, Feb 06, 2011 at 05:05:08PM -0800, Russell Jackson wrote: > |> I haven't seen any mention of this anywhere. Are there any plans to > |> update BIND in the 8.1/8.2 branches? > |> > |> > https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record > | > | This was discussed vehemently in December 2010: > | > | > http://lists.freebsd.org/pipermail/freebsd-stable/2010-December/thread.html#60640 > > Different issue. :) > > | RELENG_8 (8.2-PRERELEASE as of the time of this writing) now has the > | official 9.6.3 as of a commit done by Doug Barton only a few hours ago: > | > | http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/ > | http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/README > > The 9.6.3 update was in ports the same day it was released, and is now > in HEAD and RELENG_8. It's not relevant to RELENG_7, which is the issue > that Jeremy posted above. I've sent the information about this problem > to the release engineers, whether or not it makes it into 8.2-RELEASE is > completely in their hands. However, the material that I sent them about > this problem boiled down to the following: > > 1. This IS a significant bug for those who have DNSSEC validation > enabled, however > 2. Only a minority of our users have it enabled, and the named.conf in > the base does not. > 3. The bug can be worked around by restarting the affected name server > _after_ it sees the new DS record, however > 4. The only way to detect this problem is to wait for it to break. > > There are also the additional long-standing points that the latest > releases of BIND are always in the ports, and anyone doing "serious" > DNSSEC at this stage will want to be running 9.7.x (or the upcoming > 9.8.x) because it supports RFC 5011 trust anchor rollover, among other > nice DNSSEC features. > > | As for whether or not this will be backported to the RELENG_8_1 tag, I > | would say "probably", but Doug would be authoritative on that. > > Back-porting it that far is definitely not being considered at the > moment, and is unlikely to happen. > Looks like I should just suck it up and start using the bind97 port. Thanks. -- Russell A. Jackson <raj@csub.edu> Network Analyst California State University, Bakersfield
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D4F927C.7040103>