> This message, while operational in nature, is probably of interest to > the subscribed on bind-users, so I'm forwarding it here.
I just posted this response there: > We were able to reproduce the issue in our lab and confirm this behavior. > We believe it is present in BIND versions 9.6.2 through 9.7.0, but not in > 9.7.1b1 and later versions. Please note that BIND releases don't progress in a linear fashion; a release of BIND 9.6 may occur after a release of BIND 9.7, and include the same bug fixes. I believe that to be the case here. I think you've found a relative of the bug that came up last April when .ARPA was signed. I blogged about that one at: http://www.isc.org/community/blog/201004/dnssec-transitions-and-signing-arpa The bug was fixed in all BIND releases since that time: 9.4-ESV-R3, 9.5.3, 9.6.3, 9.6-ESV-R2, 9.7.1, and the upcoming 9.8.0. (Only the last four are really relevant to the current problem, though; 9.5 and earlier lack SHA256 algorithm support, and therefore they can't validate the root zone anyway.) If you're running a version older than any of those, please do upgrade. It's not necessary to jump all the way to 9.7.2 if you prefer to stay with 9.6, however. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
