On 02/06/2011 10:16 PM, Doug Barton wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 02/06/2011 20:58, Jeremy Chadwick wrote:
| On Sun, Feb 06, 2011 at 05:05:08PM -0800, Russell Jackson wrote:
|> I haven't seen any mention of this anywhere. Are there any plans to
|> update BIND in the 8.1/8.2 branches?
|>
|>
https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record
|
| This was discussed vehemently in December 2010:
|
|
http://lists.freebsd.org/pipermail/freebsd-stable/2010-December/thread.html#60640
Different issue. :)
| RELENG_8 (8.2-PRERELEASE as of the time of this writing) now has the
| official 9.6.3 as of a commit done by Doug Barton only a few hours ago:
|
| http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/
| http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/bind9/README
The 9.6.3 update was in ports the same day it was released, and is now
in HEAD and RELENG_8. It's not relevant to RELENG_7, which is the issue
that Jeremy posted above. I've sent the information about this problem
to the release engineers, whether or not it makes it into 8.2-RELEASE is
completely in their hands. However, the material that I sent them about
this problem boiled down to the following:
1. This IS a significant bug for those who have DNSSEC validation
enabled, however
2. Only a minority of our users have it enabled, and the named.conf in
the base does not.
3. The bug can be worked around by restarting the affected name server
_after_ it sees the new DS record, however
4. The only way to detect this problem is to wait for it to break.
There are also the additional long-standing points that the latest
releases of BIND are always in the ports, and anyone doing "serious"
DNSSEC at this stage will want to be running 9.7.x (or the upcoming
9.8.x) because it supports RFC 5011 trust anchor rollover, among other
nice DNSSEC features.
| As for whether or not this will be backported to the RELENG_8_1 tag, I
| would say "probably", but Doug would be authoritative on that.
Back-porting it that far is definitely not being considered at the
moment, and is unlikely to happen.
Looks like I should just suck it up and start using the bind97 port.
Thanks.
--
Russell A. Jackson <r...@csub.edu>
Network Analyst
California State University, Bakersfield
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
