Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Important BIND name server updates - DNSSEC - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Important BIND name server updates - DNSSEC

Over the first half of 2010, ICANN/IANA plan to sign the root zone [1]. The DNSSEC signature will use SHA256 hashes, which are not supported in older but common versions of BIND. If you run BIND 9.6.0 or 9.6.0P1, you may have issues with these signatures. The bug was fixed in BIND 9.6.1.

From the mailing list:

ISC has arranged for two test zones to be made available which are
signed using the new algorithms which are listed in

You can test whether you can successfully resolve these zones using the
following queries.

    dig soa
    dig soa



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4511 Posts
ISC Handler
Dec 15th 2009

Sign Up for Free or Log In to start participating in the conversation!