Ubuntu
bind9 package

NSEC3 validation fails for some wildcard records, in BIND pre-9.8.2b1 - consider updating 12.04LTS package

Bug #1395216 reported by Graham Clinch
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
New
Undecided
Unassigned

Bug Description

In some situations (a non-tiny zone size), BIND9.8 pre-9.8.2b1 fails to correctly validate NSEC3 records covering wildcard names.

This is recorded in BIND's CHANGES:

3175. [bug] Fix how DNSSEC positive wildcard responses from a
                        NSEC3 signed zone are validated. Stop sending a
                        unnecessary NSEC3 record when generating such
                        responses. [RT #26200]

Ubuntu's stock configuration enables DNSSEC validation (this is good), but with 12.04 LTS being likely to be in production use for many more years, it would be helpful if this fix was back-ported. See https://lists.isc.org/pipermail/bind-users/2014-November/094191.html for a recent example of this problem.

Note that 14.04LTS uses BIND 9.9 which already contains this fix. This bug report is to request a fix to 12.04LTS.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.