From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6 Description of problem: Please see Bug #104569 Please consult media for reports on verisign mis-handling .com / .net wildcards. Please consider the effects on email systems / spam blocking / security. Please include delegation patch in update to RH7.3 (or ALL) bind packages. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Use non-patched bind 2. Permits wildcard lookup 3. BAD BAD BAD - please add patch Additional info:
I agree. While technically not a bug, this fix is required for security features in other products to function properly; eg, Sendmail and Postfix. Plus, having the fix available on RedHat would encourage wide adoption, which in turn would nullify the effects of VeriSign's "hijacking" of the purposes and RFC functions of the root servers. The second BIND patch for this issue has been released. I can understand if you want to wait a day or two for the dust to settle (the first patch has minor issues), but at least make some sort of announcement that a new RPM will be forthcoming.
Please add this patch to give RH users running bind the ability to block out VeriSign SiteFinder. RedHat seems to be laging behind in their response to this issue, it's a serious concern to many System Admins and should be addressed with a new RPM patch ASAP.
The patch is available on RawHide bind-9.2.2-23 Dan
No one who is following the ISC BIND9 list will want Bind-9.2.2-23, which only contains the first ISC patch and is defective and creates problems. ISC's -P4 patch is apparently stable, and should be built & released as an RPM.