Thanks, I will cross check this with all ISC tar balls between 9.8.1 and 9.8.2. This is when the CHANGES file lists it was fixed.
I have noted that ISC changed things quite a lot with some internal structures over 9.8.x/9.7.x/9.6.x, when I was examining some issues to do with query rate DoS attacks. Debian bind does not have those changes, but I gave it the benefit of the doubt. I 'll quickly assess whether there are any problems here or not. Have been a professional C router programmer. If its not good, we really have issues. There comes a point when upstream has been diligent about fixes, and we have to redo a lot of it, and we are not the experts.... Cheers, Matthew On Wed, Oct 17, 2012 at 1:57 PM, Michael Gilbert <mgilb...@debian.org>wrote: > On Tue, Oct 16, 2012 at 6:49 PM, Matthew Grant wrote: > > Hi Michael! > > > > Sorry to bother you again, but want some advice before I leap. > > > > Can Bug #690569 (DNS wildcards fail to resolve with DNSsec enabled - > breaks > > RFC 4035)be reclassified as grave, or at least Important severity? > > > > We need to get something done about this one. Having to turn off DNSSEC > > validation to get correct resolution behaviour is not good for security > re > > DNS cache poisoning attacks, which is why DNSSEC was implemented in DNS. > > I did a diff between 9.6-R5 and -R6 and extracted the parts seeming to > relate to wildcard handling. Someone will have to look at whether > those are the right changes and if they're complete, and then port it > to the current version. See attached. > > > Also, to resolve this, is it alright to NMU Bind 9.8.4 (latest 9.8.x) > > please. Lamount Jones, it would be good if you could do this please? > Does > > not look that hard. Have looked in bind9 package git. > > No. We're in the freeze now. Fixes need to be backported. > > Best wishes, > Mike >
