Error with DLV and slave zone

Mark Andrews Mark_Andrews at isc.org
Mon Aug 11 02:53:38 UTC 2008


> Hello,
> 
> again I reply to myself, because I have new information.
> 
> The short answer is: 23 (see below!)
> 
> Frank Behrens <frank at harz.behrens.de> wrote on 7 Aug 2008 12:35:
> > I discovered a problem with my DLV setup - validation of non signed 
> > domain names fails. The special case is, that I tried to use the DLV 
> > zone information as slave to avoid additional network traffic during 
> > name resolution. For my tests I configured
> >  dnssec-lookaside "." trust-anchor "dnssec.iks-jena.de."; and
> > zone "dnssec.iks-jena.de" {
> >         type slave;
> > 	...
> > Zone transfer for this zone and lookups for zone data are working 
> > well. I use bind 9.4.2-P1.
> >...
> > What happened you see in the log:
> > validating @0x91f7800: www.stern.de A: starting
> > validating @0x91f7800: www.stern.de A: looking for DLV
> > validating @0x91f7800: www.stern.de A: plain DNSSEC returns unsecure (.): l
> ooking for DLV
> > validating @0x91f7800: www.stern.de A: looking for DLV www.stern.de.dnssec.
> iks-jena.de
> > validating @0x91f7800: www.stern.de A: looking for DLV stern.de.dnssec.iks-
> jena.de
> > validating @0x91f7800: www.stern.de A: looking for DLV de.dnssec.iks-jena.d
> e
> > validating @0x91f7800: www.stern.de A: DLV lookup: empty name
> > validator @0x91f7800: dns_validator_destroy
> 
> IMHO the "empty name" is not expected by the validator and a SERVFAIL 
> error is generated. The following patch is a wild hack and I'm sure 
> that it is not the right solution. But it solves the problem and may 
> point you into the right direction:
> 
> --- lib/dns/validator.c.orig	2008-08-08 18:17:18.971432000 +0200
> +++ lib/dns/validator.c	2008-08-10 19:14:18.743667647 +0200
> @@ -2441,7 +2441,7 @@ finddlvsep(dns_validator_t *val, isc_boo
>  			dns_rdataset_clone(&val->frdataset, &val->dlv);
>  			return (ISC_R_SUCCESS);
>  		}
> -		if (result == ISC_R_NOTFOUND) {
> +		if (result == ISC_R_NOTFOUND && result != 23) {
>  			result = create_fetch(val, dlvname, dns_rdatatype_dlv,
>  					      dlvfetched, "finddlvsep");
>  			if (result != ISC_R_SUCCESS)
> @@ -2450,6 +2450,7 @@ finddlvsep(dns_validator_t *val, isc_boo
>  		}
>  		if (result != DNS_R_NXRRSET &&
>  		    result != DNS_R_NXDOMAIN &&
> +		    result != 23 &&
>  		    result != DNS_R_NCACHENXRRSET &&
>  		    result != DNS_R_NCACHENXDOMAIN)
>  			return (result);
> 
> 
> Can anybody who has knowledge about the validator make a comment?

	It's clearly wrong.

> Thank you!
>    Frank

	The following has not been reviewed for correctness.  It
	treats "empty name" as NXRRSET of which "empty name" is a
	special case.

	Mark

Index: lib/dns/validator.c
===================================================================
RCS file: /proj/cvs/prod/bind9/lib/dns/validator.c,v
retrieving revision 1.160
diff -u -r1.160 validator.c
--- lib/dns/validator.c	19 Feb 2008 17:07:55 -0000	1.160
+++ lib/dns/validator.c	11 Aug 2008 02:46:04 -0000
@@ -939,6 +939,7 @@
 	} else if (result != ISC_R_SUCCESS &&
 		   result != DNS_R_NCACHENXDOMAIN &&
 		   result != DNS_R_NCACHENXRRSET &&
+		   result != DNS_R_EMPTYNAME &&
 		   result != DNS_R_NXRRSET &&
 		   result != ISC_R_NOTFOUND) {
 		goto  notfound;
@@ -1196,6 +1197,7 @@
 		return (DNS_R_WAIT);
 	} else if (result ==  DNS_R_NCACHENXDOMAIN ||
 		   result == DNS_R_NCACHENXRRSET ||
+		   result == DNS_R_EMPTYNAME ||
 		   result == DNS_R_NXDOMAIN ||
 		   result == DNS_R_NXRRSET)
 	{
@@ -1803,8 +1805,9 @@
 			if (result != ISC_R_SUCCESS)
 				return (result);
 			return (DNS_R_WAIT);
-		 } else if (result ==  DNS_R_NCACHENXDOMAIN ||
+		} else if (result ==  DNS_R_NCACHENXDOMAIN ||
 			   result == DNS_R_NCACHENXRRSET ||
+			   result == DNS_R_EMPTYNAME ||
 			   result == DNS_R_NXDOMAIN ||
 			   result == DNS_R_NXRRSET)
 		{
@@ -2462,6 +2465,7 @@
 		}
 		if (result != DNS_R_NXRRSET &&
 		    result != DNS_R_NXDOMAIN &&
+		    result != DNS_R_EMPTYNAME &&
 		    result != DNS_R_NCACHENXRRSET &&
 		    result != DNS_R_NCACHENXDOMAIN)
 			return (result);
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-users mailing list