On Tue, Oct 16, 2012 at 6:49 PM, Matthew Grant wrote: > Hi Michael! > > Sorry to bother you again, but want some advice before I leap. > > Can Bug #690569 (DNS wildcards fail to resolve with DNSsec enabled - breaks > RFC 4035)be reclassified as grave, or at least Important severity? > > We need to get something done about this one. Having to turn off DNSSEC > validation to get correct resolution behaviour is not good for security re > DNS cache poisoning attacks, which is why DNSSEC was implemented in DNS.
I did a diff between 9.6-R5 and -R6 and extracted the parts seeming to relate to wildcard handling. Someone will have to look at whether those are the right changes and if they're complete, and then port it to the current version. See attached. > Also, to resolve this, is it alright to NMU Bind 9.8.4 (latest 9.8.x) > please. Lamount Jones, it would be good if you could do this please? Does > not look that hard. Have looked in bind9 package git. No. We're in the freeze now. Fixes need to be backported. Best wishes, Mike
bind.diff
Description: Binary data
