Description of problem: It would be nice to have built in support for the "delegation-only" keyword for certain zones. The Verisign contaminating .com with wildcards and other fun stuff" problem would go away. Quoting Bind ARM: "This is used to enforce the delegation only status of infrastructure zones (e.g. COM, NET, ORG). Any answer that is received without a explicit or implict delegation in the authority section will be treated as NXDOMAIN. This does not apply to the zone apex. This SHOULD NOT be applied to leaf zones." ISC has released a patch for this which applies cleanly to 9.2.2, of course. <ftp://ftp.isc.org/isc/bind9/9.2.2/patch.9.2.2-P1> The announcement was on the bind-announce mailinglist. <http://marc.10east.com/?l=bind-announce&m=106378709918671&w=2> Thanks.
*** Bug 104480 has been marked as a duplicate of this bug. ***
Added the patch in bind-9.2.2-23. Should be in rawhide soon.
it seems that zone "." { type delegation-only; }; will not work, only "com" etc. can you include this list in a proper way ? how can this be done ? http://www.clubneon.com/files/named.delegation-only thanks
Created attachment 94600 [details] new caching-nameserver srpm /etc/named.conf also needs to be patched to activate the changes make in bind
I agree. While technically not a bug, this fix is required for security features in other products to function properly; eg, Sendmail and Postfix. Plus, having the fix available on RedHat would encourage wide adoption, which in turn would nullify the effects of VeriSign's "hijacking" of the purposes and RFC functions of the root servers. The second BIND patch for this issue has been released. I can understand if you want to wait a day or two for the dust to settle (the first patch has minor issues), but at least make some sort of announcement that a new RPM will be forthcoming.
I think what would make more sense is to wait until BIND 9.2.3 is released, and then push out 9.2.3 as an "enhancement" errata for all supported systems. Up through BIND 9.2.2, ISC implemented the "delegation-only" patch, like so: zone "com" { type delegation-only; }; However, for BIND 9.2.3, all root zones will be delegation-only by default, and one will have to specifically exclude root zones which contain valid non-delegated data: options { root-delegation-only exclude { "de"; "lv"; "museum"; }; }; I don't think Red Hat should encourage the "type delegation-only" behavior, since the ISC clearly intends to deprecate that behavior. Rather, I think Red Hat should put bind-9.2.3rc4 RPM into Rawhide now, so get a head-start on testing it so that hopefully once the ISC releases 9.2.3 final, it won't take that long to run it through all the Q&A testing and get it published as an errata update. Does this seem reasonable?