2010-09-30 08:53:08 |
Antoin Verschuren |
bug |
|
|
added bug |
2010-09-30 13:00:43 |
Antoin Verschuren |
description |
Binary package hint: bind9
Ubuntu 10.04 LTS still uses Bind 9.7.0-P1, which has a serious validation bug.
When turning on DNSSEC, NXdomains are reported as SERVFAILS:
; <<>> DiG 9.7.0-P1 <<>> www.bbc.net.uk aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46074
See also the discussion on the Bind User list: http://www.mail-archive.com/bind-users@lists.isc.org/msg05701.html
There was a proposed patch, but it was never released because Bind 9.7.0 is no longer supported by ISC, and should be upgraded to Bind 9.7.1-P2 at least.
Since DNSSEC is gaining momentum, and more and more TLD's and domains are DNSSEC signed, this bug is starting to annoy more and more people that rely on log errors for Bind when introducing DNSSEC. |
Binary package hint: bind9
Ubuntu 10.04 LTS still uses Bind 9.7.0-P1, which has a serious validation bug.
When turning on DNSSEC, NXdomains are reported as SERVFAILS:
; <<>> DiG 9.7.0-P1 <<>> www.bbc.net.uk aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46074
See also the discussion on the Bind User list: http://www.mail-archive.com/bind-users@lists.isc.org/msg05701.html
There was a proposed patch, but it was never released because Bind 9.7.0 is no longer supported by ISC, and should be upgraded to Bind 9.7.2-P2 at least.
Since DNSSEC is gaining momentum, and more and more TLD's and domains are DNSSEC signed, this bug is starting to annoy more and more people that rely on log errors for Bind when introducing DNSSEC.
|
|
2010-09-30 15:02:47 |
James Page |
bug |
|
|
added subscriber James Page |
2010-09-30 17:27:22 |
Scott Moser |
bind9 (Ubuntu): importance |
Undecided |
Medium |
|
2010-09-30 17:27:22 |
Scott Moser |
bind9 (Ubuntu): status |
New |
Fix Released |
|
2010-09-30 17:27:34 |
Scott Moser |
nominated for series |
|
Ubuntu Lucid |
|
2010-11-18 10:42:52 |
James Page |
removed subscriber James Page |
|
|
|
2011-02-10 14:08:41 |
Marc Deslauriers |
bug task added |
|
bind9 (Ubuntu Lucid) |
|
2011-02-10 14:08:50 |
Marc Deslauriers |
bind9 (Ubuntu Lucid): status |
New |
Confirmed |
|
2011-02-10 15:13:28 |
Launchpad Janitor |
branch linked |
|
lp:~davewalker/ubuntu/lucid/bind9/lp_651875 |
|
2011-02-10 15:18:34 |
Launchpad Janitor |
branch linked |
|
lp:~davewalker/ubuntu/lucid/bind9/lp_651875 |
|
2011-02-10 15:38:43 |
Dave Walker |
description |
Binary package hint: bind9
Ubuntu 10.04 LTS still uses Bind 9.7.0-P1, which has a serious validation bug.
When turning on DNSSEC, NXdomains are reported as SERVFAILS:
; <<>> DiG 9.7.0-P1 <<>> www.bbc.net.uk aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46074
See also the discussion on the Bind User list: http://www.mail-archive.com/bind-users@lists.isc.org/msg05701.html
There was a proposed patch, but it was never released because Bind 9.7.0 is no longer supported by ISC, and should be upgraded to Bind 9.7.2-P2 at least.
Since DNSSEC is gaining momentum, and more and more TLD's and domains are DNSSEC signed, this bug is starting to annoy more and more people that rely on log errors for Bind when introducing DNSSEC.
|
Binary package hint: bind9
Ubuntu 10.04 LTS still uses Bind 9.7.0-P1, which has a serious validation bug.
When turning on DNSSEC, NXdomains are reported as SERVFAILS:
; <<>> DiG 9.7.0-P1 <<>> www.bbc.net.uk aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46074
See also the discussion on the Bind User list: http://www.mail-archive.com/bind-users@lists.isc.org/msg05701.html
There was a proposed patch, but it was never released because Bind 9.7.0 is no longer supported by ISC, and should be upgraded to Bind 9.7.2-P2 at least.
Since DNSSEC is gaining momentum, and more and more TLD's and domains are DNSSEC signed, this bug is starting to annoy more and more people that rely on log errors for Bind when introducing DNSSEC.
=== SRU ===
IMPACT: In some situations, when DNSSEC is enabled bind9 could incorrectly return SERVFAIL rather than a correct result. (http://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record)
RESOLUTION: Correctly check that DNSSEC/DLV auth status before declaring the chain broken. Fixed upstream and cherry picked, as part of release 9.6.2-P2.
PATCH: http://bazaar.launchpad.net/~davewalker/ubuntu/lucid/bind9/lp_651875/revision/22
TEST CASE:
Setup bind9, enable DNSSEC and DLV validation
Lookup a DNSSEC domain.
Sign a TLD and insert it into the zone file. :P
Or.. Wait until March 31st when this will happen with .com
Lookup a DNSSEC domain (may have to wait for cache to expire)
Witness SERVFAIL on lookup.
DISCUSSION:
A good discussion of what happens if this isn't resolved is here, http://www.isc.org/community/blog/201004/dnssec-transitions-and-signing-arpa . The regression potential is low, limited to an additional 'if' check which originated from upstream and has been released a significant time. |
|
2011-02-10 15:40:03 |
Dave Walker |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2011-02-10 16:00:29 |
Dave Walker |
bind9 (Ubuntu Lucid): assignee |
|
Dave Walker (davewalker) |
|
2011-02-10 19:46:49 |
Brian Murray |
bind9 (Ubuntu Lucid): importance |
Undecided |
Medium |
|
2011-02-23 15:27:40 |
Marc Deslauriers |
bug |
|
|
added subscriber Marc Deslauriers |
2011-02-23 21:07:13 |
Marc Deslauriers |
attachment added |
|
changelog between 9.7.0 and 9.7.3 https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/651875/+attachment/1867744/+files/changelog.txt |
|
2011-03-16 16:01:30 |
Dave Walker |
nominated for series |
|
Ubuntu Maverick |
|
2011-03-16 16:01:30 |
Dave Walker |
bug task added |
|
bind9 (Ubuntu Maverick) |
|
2011-03-16 16:01:49 |
Dave Walker |
bind9 (Ubuntu Lucid): assignee |
Dave Walker (davewalker) |
LaMont Jones (lamont) |
|
2011-03-16 16:01:59 |
Dave Walker |
bind9 (Ubuntu Maverick): assignee |
|
LaMont Jones (lamont) |
|
2011-05-19 14:50:31 |
C de-Avillez |
bug |
|
|
added subscriber C de-Avillez |
2011-09-19 21:31:30 |
Ubuntu Foundations Team Bug Bot |
tags |
|
testcase |
|
2014-01-11 18:37:04 |
Adolfo Jayme Barrientos |
bind9 (Ubuntu Maverick): status |
New |
Won't Fix |
|
2014-01-11 18:37:56 |
Adolfo Jayme Barrientos |
bind9 (Ubuntu Lucid): status |
Confirmed |
Won't Fix |
|