In message <[email protected]>, Alexander Gall writes:
> On 04 Feb 2010 15:39:55 +0000, Chris Thompson <[email protected]> said:
>
> > On Feb 4 2010, Alexander Gall wrote:
> >> Of the 60 sources in my sample,
> >> 26 responded to version queries. All of them identified themselves as
> >> some version of BIND
> >>
> >> 5 "9.5.0-P2"
> >> 3 "9.4.2-P2.1"
> >> 3 "9.4.2-P2"
> >> 3 "9.4.2-P1"
> >> 3 "9.3.4-P1"
> >> 1 "9.5.1-P3"
> >> 1 "9.5.0b3"
> >> 1 "9.4.1-P1"
> >> 1 "9.4.1"
> >> 1 "9.3.5-P2"
> >> 1 "9.3.5-P1"
> >> 1 "9.3.4-P1.2"
> >> 1 "9.3.4-P1.1"
> >> 1 "9.3.4"
> >>
> >> All of those are NSEC3-agnostic. They should not do any DNSSEC
> >> processing for the ch zone, because they don't support algorithm #7.
>
> > Most of the above versions will not have this fix
>
> > 2579. [bug] DNSSEC lookaside validation failed to handle unknow
> n
> > algorithms. [RT #19479]
>
> > which could lead to all sorts of confusion if they are validating
> > via dlv.isc.org (say).
>
> Right, I forgot about that.
It's definitely reproducable with BIND 9.3.3 with DLV enabled. BIND
9.3.3 was when named shifted from using the private type for DLV
to a allocated type.
dig txt ch.
Perhaps SWITCH could filter these out and send messages to the whois
technical contacts in a attempt to get these servers upgraded in the
interests of a more secure and robust DNS?
BIND 9.5.1-P3 does not make the queries in question.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
