Queries for NSEC3 hashed owner names

Mark Andrews marka at isc.org
Fri Feb 5 06:16:32 UTC 2010


In message <19306.62546.632032.348290 at hadron.switch.ch>, Alexander Gall writes:
> On 04 Feb 2010 15:39:55 +0000, Chris Thompson <cet1 at cam.ac.uk> said:
> 
> > On Feb 4 2010, Alexander Gall wrote:
> >> Of the 60 sources in my sample,
> >> 26 responded to version queries.  All of them identified themselves as
> >> some version of BIND
> >> 
> >> 5 "9.5.0-P2"
> >> 3 "9.4.2-P2.1"
> >> 3 "9.4.2-P2"
> >> 3 "9.4.2-P1"
> >> 3 "9.3.4-P1"
> >> 1 "9.5.1-P3"
> >> 1 "9.5.0b3"
> >> 1 "9.4.1-P1"
> >> 1 "9.4.1"
> >> 1 "9.3.5-P2"
> >> 1 "9.3.5-P1"
> >> 1 "9.3.4-P1.2"
> >> 1 "9.3.4-P1.1"
> >> 1 "9.3.4"
> >> 
> >> All of those are NSEC3-agnostic.  They should not do any DNSSEC
> >> processing for the ch zone, because they don't support algorithm #7.
> 
> > Most of the above versions will not have this fix
> 
> > 2579.   [bug]           DNSSEC lookaside validation failed to handle unknow
> n
> >                         algorithms. [RT #19479]
> 
> > which could lead to all sorts of confusion if they are validating
> > via dlv.isc.org (say).
> 
> Right, I forgot about that.

It's definitely reproducable with BIND 9.3.3 with DLV enabled.  BIND
9.3.3 was when named shifted from using the private type for DLV
to a allocated type.

	dig txt ch.

Perhaps SWITCH could filter these out and send messages to the whois
technical contacts in a attempt to get these servers upgraded in the
interests of a more secure and robust DNS?

BIND 9.5.1-P3 does not make the queries in question.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list