Please upgrade validators to at least BIND-9.7.2 before .com is signed

Evan Hunt each at
Wed Feb 2 17:03:01 UTC 2011

> This message, while operational in nature, is probably of interest to
> the subscribed on bind-users, so I'm forwarding it here.

I just posted this response there:

> We were able to reproduce the issue in our lab and confirm this behavior.
> We believe it is present in BIND versions 9.6.2 through 9.7.0, but not in
> 9.7.1b1 and later versions.

Please note that BIND releases don't progress in a linear fashion; a
release of BIND 9.6 may occur after a release of BIND 9.7, and include
the same bug fixes.

I believe that to be the case here.  I think you've found a relative of
the bug that came up last April when .ARPA was signed.  I blogged about
that one at:

The bug was fixed in all BIND releases since that time: 9.4-ESV-R3, 9.5.3,
9.6.3, 9.6-ESV-R2, 9.7.1, and the upcoming 9.8.0.  (Only the last four
are really relevant to the current problem, though; 9.5 and earlier lack
SHA256 algorithm support, and therefore they can't validate the root zone

If you're running a version older than any of those, please do upgrade.
It's not necessary to jump all the way to 9.7.2 if you prefer to stay with
9.6, however.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list