Users of BIND version 9.5.x or 9.4.x AND DLV --------------------------------------------
ISC announced a new user interface for DLV - DNSSEC Lookaside Validation on March 11th. We have been running the DLV service in limited production and will shortly be ready to move to full production. On 15th March 09 the US Government .gov TLD was added to DLV. The .gov zone is the first major TLD we know of which has been signed using NSEC3, which uses the NSEC3RSASHA1 DNSKEY signature algorithm. Unfortunately this change highlighted a shortcoming in the handling of DLV lookups for BIND versions 9.3, 9.4 and 9.5, which do not support or recognize the NSEC3RSASHA1 signature algorithm used with NSEC3. DLV processing in these affected versions did not handle unknown signature algorithms correctly. They should have treated data signed with unknown signature algorithms as equivalent to unsigned data, as base DNSSEC does, but instead treated them as a validation failure. This was causing significant operational issues for those DNSSEC early adopters using DLV to validate .gov zones. As a consequence, to avoid service disruption, ISC has temporarily removed the .gov trust anchor from DLV. ISC has generated software patches applicable to BIND versions 9.4.3 and 9.5.1 which correct the resolution behavior. These patches can be downloaded from: ftp://ftp.isc.org/isc/bind9/9.4.3-P2/bind-9.4.3-P2.tar.gz ftp://ftp.isc.org/isc/bind9/9.5.1-P2/bind-9.5.1-P2.tar.gz PGP signatures and Windows binary kits for these patches are in the usual places, see the individual release announcements for details. DLV users running versions of BIND prior to 9.4 are recommended to upgrade, or to contact ISC for assistance. ISC is also conducting beta trials of the latest BIND release, 9.6.1. Note: Although 9.6.0 has the same error handling for unknown algorithms as the prior versions, the problem will not be triggered as native support for NSEC3-signed zones is included. Early adopters wishing to run fully patched BIND 9.6.1 code should run the latest beta release version: ftp://ftp.isc.org/isc/bind9/9.6.1b1/bind-9.6.1b1.tar.gz In order to give BIND DLV users time to upgrade their resolvers to these fixed versions, ISC is suspending addition of the .gov DNSSEC trust anchor in DLV until 1st May 2009. From that date onwards it is assumed that all DLV users will be running BIND versions amended with the above patch, and that .gov and other zones with all possible signature algorithms will be present in DLV, which will only be supported for resolvers with the correct behavior as per this patch. Note also that this problem only manifests itself for dynamic trust anchor lookups via services such as DLV, and there are no issues for statically configured trust anchors, even with unknown signature algorithms. DNSSEC users who wish to validate .gov and other NSEC3-signed zones prior to 1st May are recommended to statically add these trust anchors to their configuration meantime. Finally, BIND users who do not use DLV, or do not use DNSSEC at all, are not affected by this issue, and may continue to run their existing BIND release without any concerns. DNSSEC, while an essential tool for securing the future of the Internet, is very much in an early adoption phase, and it is to be expected that bootstrap tools such as DLV may encounter some operational glitches as deployment experience is gathered. This is an issue for DLV service users only, and not in any way a shortcoming in the DNSSEC architecture. We would like to thank members of the DNSSEC early adopter community (and in particular Michael Sinatra of UC Berkeley) for bringing this issue to our attention, and commend GSA as operators of the .gov zone, with the assistance of NIST, for aggressively deploying DNSSEC technologies. It is only through such early deployment and co-operation that lessons can be learned for the successful problem-free deployment of DNSSEC in the longer term. Keith Mitchell ISC Director of Engineering _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users