Handling of RSASHA256 and RSASHA512 in BIND 9.6.0 and BIND 9.6.0-P1

Doug Barton dougb at dougbarton.us
Tue Dec 15 04:05:40 UTC 2009

While this reminder is timely and helpful, more welcome would be the
news that BIND 9.6.2 is going to have actual support for
RSASHA{256|512}. My cursory reading of the 9.6.2b1 code does not seem
to indicate that it does, although I would be happy to be proven wrong.

I personally don't think it's reasonable to expect everyone who wants
to validate with BIND to upgrade to 9.7.x for a variety of reasons
that I'd be happy to elucidate if they are not obvious.



	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/

Mark Andrews wrote:
> With upcoming deployment of RSASHA256 to sign the root zone, ISC
> would like to remind BIND 9.6.0 and BIND 9.6.0-P1 users that use
> DLV, but have not yet upgraded, that they will need to upgrade to
> a more recent version of BIND 9.6.x as BIND 9.6.0 and BIND 9.6.0-P1
> will not correctly handle RSASHA256 and RSASHA512 signed zones in
> DLV.
> 2579.   [bug]           DNSSEC lookaside validation failed to handle unknown
>                         algorithms. [RT #19479]
> This defect was addressed in BIND 9.6.1.
> ISC has arranged for two test zones to be made available which are
> signed using the new algorithms which are listed in dlv.isc.org.
> You can test whether you can successfully resolve these zones using the
> following queries.
> 	dig rsasha256.island.dlvtest.dns-oarc.net soa
> 	dig rsasha512.island.dlvtest.dns-oarc.net soa

More information about the bind-users mailing list