Important BIND name server updates - DNSSEC - SANS Internet Storm Center

SANS ISC InfoSec Forums

Important BIND name server updates - DNSSEC
Over the first half of 2010, ICANN/IANA plan to sign the root zone [1]. The DNSSEC signature will use SHA256 hashes, which are not supported in older but common versions of BIND. If you run BIND 9.6.0 or 9.6.0P1, you may have issues with these signatures. The bug was fixed in BIND 9.6.1. From the ISC.org mailing list: ISC has arranged for two test zones to be made available which are signed using the new algorithms which are listed in dlv.isc.org. You can test whether you can successfully resolve these zones using the following queries. dig rsasha256.island.dlvtest.dns-oarc.net soa dig rsasha512.island.dlvtest.dns-oarc.net soa [1] http://www.icann.org/en/announcements/announcement-2-09oct08-en.htm [2] https://www.isc.org/software/bind/dnssec ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022	Johannes 4511 Posts ISC Handler Dec 15th 2009
Thread locked Subscribe	Dec 15th 2009 1 decade ago