Queries for NSEC3 hashed owner names
Alexander Gall
gall at switch.ch
Thu Feb 4 16:22:42 UTC 2010
On 04 Feb 2010 15:39:55 +0000, Chris Thompson <cet1 at cam.ac.uk> said:
> On Feb 4 2010, Alexander Gall wrote:
>> Of the 60 sources in my sample,
>> 26 responded to version queries. All of them identified themselves as
>> some version of BIND
>>
>> 5 "9.5.0-P2"
>> 3 "9.4.2-P2.1"
>> 3 "9.4.2-P2"
>> 3 "9.4.2-P1"
>> 3 "9.3.4-P1"
>> 1 "9.5.1-P3"
>> 1 "9.5.0b3"
>> 1 "9.4.1-P1"
>> 1 "9.4.1"
>> 1 "9.3.5-P2"
>> 1 "9.3.5-P1"
>> 1 "9.3.4-P1.2"
>> 1 "9.3.4-P1.1"
>> 1 "9.3.4"
>>
>> All of those are NSEC3-agnostic. They should not do any DNSSEC
>> processing for the ch zone, because they don't support algorithm #7.
> Most of the above versions will not have this fix
> 2579. [bug] DNSSEC lookaside validation failed to handle unknown
> algorithms. [RT #19479]
> which could lead to all sorts of confusion if they are validating
> via dlv.isc.org (say).
Right, I forgot about that.
> But the solitary 9.5.1-P3 is a counter-example (2579 was fixed in
> 9.5.1-P2). Maybe its version number is faked ...
It might still be worth checking what exactly causes this behaviour.
--
Alex
More information about the bind-users
mailing list