Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Important BIND name server updates - DNSSEC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Important BIND name server updates - DNSSEC

Published: 2009-12-15
Last Updated: 2009-12-15 13:47:50 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Over the first half of 2010, ICANN/IANA plan to sign the root zone [1]. The DNSSEC signature will use SHA256 hashes, which are not supported in older but common versions of BIND. If you run BIND 9.6.0 or 9.6.0P1, you may have issues with these signatures. The bug was fixed in BIND 9.6.1.

From the ISC.org mailing list:

ISC has arranged for two test zones to be made available which are
signed using the new algorithms which are listed in dlv.isc.org.

You can test whether you can successfully resolve these zones using the
following queries.

    dig rsasha256.island.dlvtest.dns-oarc.net soa
    dig rsasha512.island.dlvtest.dns-oarc.net soa

[1] http://www.icann.org/en/announcements/announcement-2-09oct08-en.htm
[2] https://www.isc.org/software/bind/dnssec

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: bind dns dnssec
0 comment(s)
Diary Archives