From owner-freebsd-stable@FreeBSD.ORG  Mon Feb  7 06:34:40 2011
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0C588106564A
	for <freebsd-stable@FreeBSD.org>; Mon,  7 Feb 2011 06:34:40 +0000 (UTC)
	(envelope-from raj@csub.edu)
Received: from mh1.csub.edu (mh1.csub.edu [136.168.1.95])
	by mx1.freebsd.org (Postfix) with ESMTP id DC4828FC0C
	for <freebsd-stable@FreeBSD.org>; Mon,  7 Feb 2011 06:34:39 +0000 (UTC)
Received: from [136.168.251.248] ([136.168.251.248]) (authenticated bits=0)
	by mh1.csub.edu (8.14.3/8.14.3) with ESMTP id p176Yc1f047060
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sun, 6 Feb 2011 22:34:38 -0800 (PST) (envelope-from raj@csub.edu)
X-DKIM: Sendmail DKIM Filter v2.8.3 mh1.csub.edu p176Yc1f047060
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=csub.edu;
	s=mailhub.csub.edu; t=1297060479; bh=cnzMU9Pkk2nppDdJhkDCwAUnyMk=;
	h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References:
	In-Reply-To:Content-Type:Content-Transfer-Encoding;
	b=RENnHoAVrFhqW8l3YUlZ0K+whbLXmefejq3vwqGMUftyrYREB5Oj6K8PTUHHOxFS1
	FZpBsTsBFOnl2jBBikOeHovwBKLkx5jiBilLvYfeATIJitEZijFV91XDxPuqNKzoV1
	2rVor7zzSUFQjt1pfGFpvg2EsSHTNx0Dy3Gd2uPI=
Message-ID: <4D4F927C.7040103@csub.edu>
Date: Sun, 06 Feb 2011 22:34:36 -0800
From: Russell Jackson <raj@csub.edu>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7
MIME-Version: 1.0
To: Doug Barton <dougb@FreeBSD.org>
References: <4D4F4544.3010606@csub.edu>
	<20110207045802.GB15568@icarus.home.lan>
	<4D4F8E34.7030904@FreeBSD.org>
In-Reply-To: <4D4F8E34.7030904@FreeBSD.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-stable@FreeBSD.org, Jeremy Chadwick <freebsd@jdc.parodius.com>
Subject: Re: bind 9.6.2 dnssec validation bug
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2011 06:34:40 -0000

On 02/06/2011 10:16 PM, Doug Barton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 02/06/2011 20:58, Jeremy Chadwick wrote:
> | On Sun, Feb 06, 2011 at 05:05:08PM -0800, Russell Jackson wrote:
> |> I haven't seen any mention of this anywhere. Are there any plans to
> |> update BIND in the 8.1/8.2 branches?
> |>
> |>
> https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record
> |
> | This was discussed vehemently in December 2010:
> |
> |
> http://lists.freebsd.org/pipermail/freebsd-stable/2010-December/thread.html#60640
>
> Different issue. :)
>
> | RELENG_8 (8.2-PRERELEASE as of the time of this writing) now has the
> | official 9.6.3 as of a commit done by Doug Barton only a few hours ago:
> |
> | http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/
> | http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/README
>
> The 9.6.3 update was in ports the same day it was released, and is now
> in HEAD and RELENG_8. It's not relevant to RELENG_7, which is the issue
> that Jeremy posted above. I've sent the information about this problem
> to the release engineers, whether or not it makes it into 8.2-RELEASE is
> completely in their hands. However, the material that I sent them about
> this problem boiled down to the following:
>
> 1. This IS a significant bug for those who have DNSSEC validation
> enabled, however
> 2. Only a minority of our users have it enabled, and the named.conf in
> the base does not.
> 3. The bug can be worked around by restarting the affected name server
> _after_ it sees the new DS record, however
> 4. The only way to detect this problem is to wait for it to break.
>
> There are also the additional long-standing points that the latest
> releases of BIND are always in the ports, and anyone doing "serious"
> DNSSEC at this stage will want to be running 9.7.x (or the upcoming
> 9.8.x) because it supports RFC 5011 trust anchor rollover, among other
> nice DNSSEC features.
>
> | As for whether or not this will be backported to the RELENG_8_1 tag, I
> | would say "probably", but Doug would be authoritative on that.
>
> Back-porting it that far is definitely not being considered at the
> moment, and is unlikely to happen.
>

Looks like I should just suck it up and start using the bind97 port.

Thanks.

-- 
Russell A. Jackson <raj@csub.edu>
Network Analyst
California State University, Bakersfield