Bug 104569 - rfe: support for "delegation-only"
rfe: support for "delegation-only"
Status: CLOSED RAWHIDE
Product: Red Hat Raw Hide
Classification: Retired
Component: bind (Show other bugs)
1.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: FutureFeature
: 104480 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-09-17 07:23 EDT by Kaj J. Niemi
Modified: 2007-04-18 12:57 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-09-17 09:46:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
new caching-nameserver srpm (8.10 KB, application/bitmap)
2003-09-19 13:42 EDT, Stephen Samuel
no flags Details

  None (edit)
Description Kaj J. Niemi 2003-09-17 07:23:38 EDT
Description of problem:
It would be nice to have built in support for the "delegation-only" keyword for
certain zones. The Verisign contaminating .com with wildcards and other fun
stuff" problem would go away.

Quoting Bind ARM:

"This is used to enforce the delegation only status of infrastructure zones
(e.g. COM, NET, ORG).  Any answer that is received without a explicit or implict
delegation in the authority section will be treated as NXDOMAIN.  This does not
apply to the zone apex.  This SHOULD NOT be applied to leaf zones."


ISC has released a patch for this which applies cleanly to 9.2.2, of course.

<ftp://ftp.isc.org/isc/bind9/9.2.2/patch.9.2.2-P1>

The announcement was on the bind-announce mailinglist.

<http://marc.10east.com/?l=bind-announce&m=106378709918671&w=2>


Thanks.
Comment 1 Chris Ricker 2003-09-17 08:03:39 EDT
*** Bug 104480 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2003-09-17 09:46:55 EDT
Added the patch in bind-9.2.2-23.

Should be in rawhide soon.
Comment 3 shrek-m 2003-09-18 16:38:23 EDT
it seems that
 zone "." { type delegation-only; };
will not work, only "com" etc.

can you include this list in a proper way ?
how can this be done ?

http://www.clubneon.com/files/named.delegation-only

thanks
Comment 4 Stephen Samuel 2003-09-19 13:42:15 EDT
Created attachment 94600 [details]
new caching-nameserver srpm

/etc/named.conf also needs to be patched to activate the changes make in bind
Comment 5 Dean K. Gibson 2003-09-20 20:41:46 EDT
I agree.  While technically not a bug, this fix is required for security 
features in other products to function properly;  eg, Sendmail and Postfix.  
Plus, having the fix available on RedHat would encourage wide adoption, which 
in turn would nullify the effects of VeriSign's "hijacking" of the purposes and 
RFC functions of the root servers.

The second BIND patch for this issue has been released.  I can understand if 
you want to wait a day or two for the dust to settle (the first patch has minor 
issues), but at least make some sort of announcement that a new RPM will be 
forthcoming.
Comment 6 James Ralston 2003-09-22 20:48:57 EDT
I think what would make more sense is to wait until BIND 9.2.3 is released, and
then push out 9.2.3 as an "enhancement" errata for all supported systems.

Up through BIND 9.2.2, ISC implemented the "delegation-only" patch, like so:

zone "com" {
    type delegation-only;
};

However, for BIND 9.2.3, all root zones will be delegation-only by default, and
one will have to specifically exclude root zones which contain valid
non-delegated data:

options {
    root-delegation-only exclude { "de"; "lv"; "museum"; };
};

I don't think Red Hat should encourage the "type delegation-only" behavior,
since the ISC clearly intends to deprecate that behavior.

Rather, I think Red Hat should put bind-9.2.3rc4 RPM into Rawhide now, so get a
head-start on testing it so that hopefully once the ISC releases 9.2.3 final, it
won't take that long to run it through all the Q&A testing and get it published
as an errata update.

Does this seem reasonable?

Note You need to log in before you can comment on or make changes to this bug.