Following the deployment of DNSSEC in the .net zone, Verisign became aware of issues experienced by users of certain BIND versions when used as a recursive name server and configured for validation.
A user of a BIND 9.7.0-P2, configured for validation with the root trust anchor, experienced SERVFAIL responses for all unsigned .net domains after the .net DS record was published in the root zone and after .net NS records expired from his name server's cache. We were able to reproduce the issue in our lab and confirm this behavior. We believe it is present in BIND versions 9.6.2 through 9.7.0, but not in 9.7.1b1 and later versions. When configured for validation, stub resolvers querying a recursive name server running the aforementioned versions have a 50% chance of experiencing the issue upon introduction of a new DS record. Upon restart of the named process, resolution and validation both work as expected, without issues. We recommend anyone using BIND 9.6.2 through 9.7.0 for DNSSEC validation upgrade to 9.7.2 or later prior to 31 March 2011 (when the DS record for .com is planned to be published in the root zone). If you are unable to upgrade, we recommend monitoring the root zone on 31 March for the presence of the .com DS record and restarting recursive name servers performing validation as soon as possible after this DS record appears. A more detailed description of this issue and our analysis is available at http://www.verisignlabs.com/documents/BIND-DS-Servfail.pdf. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
