Bind 9.7.0-P1 validation errors
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bind9 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Lucid |
Won't Fix
|
Medium
|
LaMont Jones | ||
Maverick |
Won't Fix
|
Undecided
|
LaMont Jones |
Bug Description
Binary package hint: bind9
Ubuntu 10.04 LTS still uses Bind 9.7.0-P1, which has a serious validation bug.
When turning on DNSSEC, NXdomains are reported as SERVFAILS:
; <<>> DiG 9.7.0-P1 <<>> www.bbc.net.uk aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46074
See also the discussion on the Bind User list: http://<email address hidden>
There was a proposed patch, but it was never released because Bind 9.7.0 is no longer supported by ISC, and should be upgraded to Bind 9.7.2-P2 at least.
Since DNSSEC is gaining momentum, and more and more TLD's and domains are DNSSEC signed, this bug is starting to annoy more and more people that rely on log errors for Bind when introducing DNSSEC.
=== SRU ===
IMPACT: In some situations, when DNSSEC is enabled bind9 could incorrectly return SERVFAIL rather than a correct result. (http://
RESOLUTION: Correctly check that DNSSEC/DLV auth status before declaring the chain broken. Fixed upstream and cherry picked, as part of release 9.6.2-P2.
PATCH: http://
TEST CASE:
Setup bind9, enable DNSSEC and DLV validation
Lookup a DNSSEC domain.
Sign a TLD and insert it into the zone file. :P
Or.. Wait until March 31st when this will happen with .com
Lookup a DNSSEC domain (may have to wait for cache to expire)
Witness SERVFAIL on lookup.
DISCUSSION:
A good discussion of what happens if this isn't resolved is here, http://
Related branches
description: | updated |
Changed in bind9 (Ubuntu Lucid): | |
status: | New → Confirmed |
description: | updated |
Changed in bind9 (Ubuntu Lucid): | |
assignee: | nobody → Dave Walker (davewalker) |
Changed in bind9 (Ubuntu Lucid): | |
importance: | Undecided → Medium |
Changed in bind9 (Ubuntu Lucid): | |
assignee: | Dave Walker (davewalker) → LaMont Jones (lamont) |
Changed in bind9 (Ubuntu Maverick): | |
assignee: | nobody → LaMont Jones (lamont) |
tags: | added: testcase |
Changed in bind9 (Ubuntu Maverick): | |
status: | New → Won't Fix |
Changed in bind9 (Ubuntu Lucid): | |
status: | Confirmed → Won't Fix |
correction, the bug fix was released in Bind 9.7.0-P2:
--- 9.7.0-P2 released ---
2876. [bug] Named could return SERVFAIL for negative responses
from unsigned zones. [RT #21131]
--- 9.7.0-P1 released ---
2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
--- 9.7.0 released ---