Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1

Mark Andrews marka at isc.org
Tue Dec 15 03:40:35 UTC 2009

With upcoming deployment of RSASHA256 to sign the root zone, ISC
would like to remind BIND 9.6.0 and BIND 9.6.0-P1 users that use
DLV, but have not yet upgraded, that they will need to upgrade to
a more recent version of BIND 9.6.x as BIND 9.6.0 and BIND 9.6.0-P1
will not correctly handle RSASHA256 and RSASHA512 signed zones in

2579.   [bug]           DNSSEC lookaside validation failed to handle unknown
                        algorithms. [RT #19479]

This defect was addressed in BIND 9.6.1.

ISC has arranged for two test zones to be made available which are
signed using the new algorithms which are listed in dlv.isc.org.

You can test whether you can successfully resolve these zones using the
following queries.

        dig rsasha256.island.dlvtest.dns-oarc.net soa
        dig rsasha512.island.dlvtest.dns-oarc.net soa

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: mark at isc.org

More information about the bind-users mailing list