Description of problem: BIND doesn't handle unknown DLV algorithms well. This issue is fixed in 9.5.1-P2 and patch must be backported to RHEL5. Version: bind-9.3.4-10.P1.el5
For example, not being able to resolve the .gov domain if DNSSEC is enabled is a problem for many users with their new signing algorithm in use that seemed to be triggered late this week. Even Fedora, running 9.5.1-2.p2 requires dnssec-validate no to resolve .gov domains and trying to import the public key for .gov yields an invalid algorithm message.
(In reply to comment #5) > For example, not being able to resolve the .gov domain if DNSSEC is enabled is > a problem for many users with their new signing algorithm in use that seemed to > be triggered late this week. > > Even Fedora, running 9.5.1-2.p2 requires dnssec-validate no to resolve .gov > domains and trying to import the public key for .gov yields an invalid > algorithm message. named fails to handle "gov." domain only when you use DLV. If you try import key with unknown algorithm it fails during startup (it is expected behavior). 9.5.1-2.P2 in Fedora should work fine. If it hits unknown algorithm during DLV process it falls back to non-secure DNS as expected. If it doesn't work in your case open a bug report against Fedora and attach your log, please.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1420.html