[Bug 651875] Re: Bind 9.7.0-P1 validation errors

Dave Walker davewalker at ubuntu.com
Thu Feb 10 15:38:43 UTC 2011 

** Description changed:

  Binary package hint: bind9
  
  Ubuntu 10.04 LTS still uses Bind 9.7.0-P1, which has a serious validation bug.
  When turning on DNSSEC, NXdomains are reported as SERVFAILS:
  
  ; <<>> DiG 9.7.0-P1 <<>> www.bbc.net.uk aaaa
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46074
  
  See also the discussion on the Bind User list: http://www.mail-
  archive.com/bind-users at lists.isc.org/msg05701.html
  
  There was a proposed patch, but it was never released because Bind 9.7.0
  is no longer supported by ISC, and should be upgraded to Bind 9.7.2-P2
  at least.
  
  Since DNSSEC is gaining momentum, and more and more TLD's and domains
  are DNSSEC signed, this bug is starting to annoy more and more people
  that rely on log errors for Bind when introducing DNSSEC.
+ 
+ === SRU ===
+ IMPACT: In some situations, when DNSSEC is enabled bind9 could incorrectly return SERVFAIL rather than a correct result. (http://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record)
+ 
+ RESOLUTION: Correctly check that DNSSEC/DLV auth status before declaring
+ the chain broken. Fixed upstream and cherry picked, as part of release
+ 9.6.2-P2.
+ 
+ PATCH:
+ http://bazaar.launchpad.net/~davewalker/ubuntu/lucid/bind9/lp_651875/revision/22
+ 
+ TEST CASE: 
+ Setup bind9, enable DNSSEC and DLV validation
+ Lookup a DNSSEC domain.
+ Sign a TLD and insert it into the zone file. :P
+ Or.. Wait until March 31st when this will happen with .com
+ Lookup a DNSSEC domain (may have to wait for cache to expire)
+ Witness SERVFAIL on lookup.
+ 
+ DISCUSSION: 
+ A good discussion of what happens if this isn't resolved is here, http://www.isc.org/community/blog/201004/dnssec-transitions-and-signing-arpa . The regression potential is low, limited to an additional 'if' check which originated from upstream and has been released a significant time.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bind9 in ubuntu.
https://bugs.launchpad.net/bugs/651875

Title:
  Bind 9.7.0-P1 validation errors

More information about the Ubuntu-server-bugs mailing list