Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1

Mark Andrews marka at isc.org
Tue Dec 15 03:39:48 UTC 2009


With upcoming deployment of RSASHA256 to sign the root zone, ISC
would like to remind BIND 9.6.0 and BIND 9.6.0-P1 users that use
DLV, but have not yet upgraded, that they will need to upgrade to
a more recent version of BIND 9.6.x as BIND 9.6.0 and BIND 9.6.0-P1
will not correctly handle RSASHA256 and RSASHA512 signed zones in
DLV.

2579.   [bug]           DNSSEC lookaside validation failed to handle unknown
                        algorithms. [RT #19479]

This defect was addressed in BIND 9.6.1.

ISC has arranged for two test zones to be made available which are
signed using the new algorithms which are listed in dlv.isc.org.

You can test whether you can successfully resolve these zones using the
following queries.

	dig rsasha256.island.dlvtest.dns-oarc.net soa
	dig rsasha512.island.dlvtest.dns-oarc.net soa

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: mark at isc.org




More information about the bind-announce mailing list