Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1
On Dec 15 2009, Evan Hunt wrote: (Doug Barton wrote) BIND 9.6.2 is in the b1 phase atm, which means that there is plenty of time to get SHA2 in there and get the release out before a signed root goes live. I encourage the folks at ISC to do so, and if you agree I encourage you to make your voice heard. We hear you. Expect a decision in the next few days. So, has the decision been made? [I am tentatively planning on going to 9.7 in production round about Easter, in good time for the RSASHA256-signed root zone in July, but it would be nice to have a fall-back option.] -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1
We hear you. Expect a decision in the next few days. So, has the decision been made? [I am tentatively planning on going to 9.7 in production round about Easter, in good time for the RSASHA256-signed root zone in July, but it would be nice to have a fall-back option.] I'm sorry, I completely forgot to follow up on this. Thank you for the nudge. Yes, we are backporting the SHA-2 algorithms into 9.6. It will be in the next release, which I believe will be called 9.6.2rc1, and will be out by the end of this month. (I expect it to be sooner, actually; I'm just hedging my bet.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1
On Dec 15 2009, Doug Barton wrote:
While this reminder is timely and helpful, more welcome would be the
news that BIND 9.6.2 is going to have actual support for
RSASHA{256|512}. My cursory reading of the 9.6.2b1 code does not seem
to indicate that it does, although I would be happy to be proven wrong.
I personally don't think it's reasonable to expect everyone who wants
to validate with BIND to upgrade to 9.7.x for a variety of reasons
that I'd be happy to elucidate if they are not obvious.
Quoting from https://lists.isc.org/pipermail/bind-users/2009-October/077853.html
(me)
Will you be adding RSASHA256 support in the 9.5.x and 9.6.x series? It
might be a bit optimistic to expect everyone to move to 9.7.x by 2010-07-01,
if that's when the root zone is going to be *really* signed (with RSASHA256,
according to current reports).
(Evan Hunt)
Not 9.5.x, as it lacks NSEC3 support.
Adding SHA-2 to 9.6.x would violate our policy of making major
functional changes only in major releases, so I don't expect we'll
do that. Given the odd circumstances you mentioned, I won't say for
certain that we won't--but I doubt it.
9.7.0 is going to be final in a little over a month, which is fortunate
timing.
(But it's not too obvious to me that adding support for a new signing
algorithm should necessarily be considered a major functional change.)
--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1
On Mon, Dec 14, 2009 at 08:05:40PM -0800,
Doug Barton do...@dougbarton.us wrote
a message of 44 lines which said:
While this reminder is timely and helpful, more welcome would be the
news that BIND 9.6.2 is going to have actual support for
RSASHA{256|512}.
No, it won't. Migrating to = 9.6.1 is necessary to avoid breakage,
not to validate the root.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1
Chris Thompson wrote: (Evan Hunt) Adding SHA-2 to 9.6.x would violate our policy of making major functional changes only in major releases, so I don't expect we'll do that. Given the odd circumstances you mentioned, I won't say for certain that we won't--but I doubt it. 9.7.0 is going to be final in a little over a month, which is fortunate timing. (But it's not too obvious to me that adding support for a new signing algorithm should necessarily be considered a major functional change.) Yes, I remembered Evan's statement from a while back, and didn't respond at the time because I wanted to think about it some more. Having thought about it, I agree with you that in my mind it's not a major functional change, and I strongly believe that adding support for it in 9.6 is the right thing to do. To expand on that a little more (and to slightly agree with Stephane) it's already been necessary for anyone who wants to _validate_ to have migrated to 9.6 for some time now. 9.6 has proven to be a good release, and everyone that I've recommended upgrading to it has been thoroughly satisfied. Therefore (within the validator demographic) we've got a pretty good installed base for whom a minor version upgrade would not be a problem, and will likely happen when 9.6.2 is released in any case. Expecting that installed base to upgrade to an unproven .0 release with a lot of new features (read, untried code paths) is not realistic. And it should go without saying that this is with all due respect to the fine people who actually write BIND code. I know they work hard to get it right, but I also know we're _all_ human. OTOH for those that want to _sign_ their zones I'm have been telling people for a while now that they need to start working with 9.7. I even created a FreeBSD port for the RC version (which I have not done for previous RCs) to help accelerate that process. BIND 9.6.2 is in the b1 phase atm, which means that there is plenty of time to get SHA2 in there and get the release out before a signed root goes live. I encourage the folks at ISC to do so, and if you agree I encourage you to make your voice heard. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1
Evan Hunt wrote: BIND 9.6.2 is in the b1 phase atm, which means that there is plenty of time to get SHA2 in there and get the release out before a signed root goes live. I encourage the folks at ISC to do so, and if you agree I encourage you to make your voice heard. We hear you. That's as much as I can hope for, thanks. :) Doug -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1
BIND 9.6.2 is in the b1 phase atm, which means that there is plenty of time to get SHA2 in there and get the release out before a signed root goes live. I encourage the folks at ISC to do so, and if you agree I encourage you to make your voice heard. We hear you. Expect a decision in the next few days. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1
In message prayer.1.3.2.0912151543550.32...@hermes-1.csi.cam.ac.uk, Chris Tho mpson writes: (But it's not too obvious to me that adding support for a new signing algorithm should necessarily be considered a major functional change.) If it was *just* adding a new signing algorithm then yes it would be a minor change. A lot more happened under the hood to support the new algorithms on all platforms. Remember crypto support on some platforms is pretty old and doesn't support SHA256/512 + RSA directly so we had to use more primative methods on these platforms. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1
While this reminder is timely and helpful, more welcome would be the
news that BIND 9.6.2 is going to have actual support for
RSASHA{256|512}. My cursory reading of the 9.6.2b1 code does not seem
to indicate that it does, although I would be happy to be proven wrong.
I personally don't think it's reasonable to expect everyone who wants
to validate with BIND to upgrade to 9.7.x for a variety of reasons
that I'd be happy to elucidate if they are not obvious.
Doug
--
Improve the effectiveness of your Internet presence with
a domain name makeover!http://SupersetSolutions.com/
Mark Andrews wrote:
With upcoming deployment of RSASHA256 to sign the root zone, ISC
would like to remind BIND 9.6.0 and BIND 9.6.0-P1 users that use
DLV, but have not yet upgraded, that they will need to upgrade to
a more recent version of BIND 9.6.x as BIND 9.6.0 and BIND 9.6.0-P1
will not correctly handle RSASHA256 and RSASHA512 signed zones in
DLV.
2579. [bug] DNSSEC lookaside validation failed to handle unknown
algorithms. [RT #19479]
This defect was addressed in BIND 9.6.1.
ISC has arranged for two test zones to be made available which are
signed using the new algorithms which are listed in dlv.isc.org.
You can test whether you can successfully resolve these zones using the
following queries.
dig rsasha256.island.dlvtest.dns-oarc.net soa
dig rsasha512.island.dlvtest.dns-oarc.net soa
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
