While this reminder is timely and helpful, more welcome would be the news that BIND 9.6.2 is going to have actual support for RSASHA{256|512}. My cursory reading of the 9.6.2b1 code does not seem to indicate that it does, although I would be happy to be proven wrong.
I personally don't think it's reasonable to expect everyone who wants to validate with BIND to upgrade to 9.7.x for a variety of reasons that I'd be happy to elucidate if they are not obvious. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Mark Andrews wrote: > With upcoming deployment of RSASHA256 to sign the root zone, ISC > would like to remind BIND 9.6.0 and BIND 9.6.0-P1 users that use > DLV, but have not yet upgraded, that they will need to upgrade to > a more recent version of BIND 9.6.x as BIND 9.6.0 and BIND 9.6.0-P1 > will not correctly handle RSASHA256 and RSASHA512 signed zones in > DLV. > > 2579. [bug] DNSSEC lookaside validation failed to handle unknown > algorithms. [RT #19479] > > This defect was addressed in BIND 9.6.1. > > ISC has arranged for two test zones to be made available which are > signed using the new algorithms which are listed in dlv.isc.org. > > You can test whether you can successfully resolve these zones using the > following queries. > > dig rsasha256.island.dlvtest.dns-oarc.net soa > dig rsasha512.island.dlvtest.dns-oarc.net soa > _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users