[bind10-dev] bind10-1.0.0-beta auth server answers SERVFAIL for an empty non-terminal due to "Unexpected covering NSEC3 found" error

fujiwara at jprs.co.jp fujiwara at jprs.co.jp
Tue Jan 22 09:05:06 UTC 2013


JPRS's BIND 10 test using JP zone found another BIND 10 bug.

BIND 10 auth server sometimes answers SERVFAIL when querying empty
non-terminals.

I made a small test zone and reproduced the phenomena.

  Test zone: tld.
  parameter: RSASHA256, 2048bit, NSEC3 Optout (-3 001122 -H 1 -A)
  sign tool: BIND 9.8.3-P4 dnssec-keygen and dnssec-signzone

I attached tld zone file (tld.signed.gz).
Load the zone file to BIND 10 auth server and query "c.c.tld A",
you can see SERVFAIL answer and BIND 10 error message.

ERROR [b10-auth.auth/80537] AUTH_PROCESS_FAIL message processing failure: Unexpected covering NSEC3 found for c.c.tld.

BIND 9 answers empty, NO ERROR answer.

--
Kazunori Fujiwara, JPRS <fujiwara at jprs.co.jp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tld.signed.gz
Type: application/octet-stream
Size: 5879 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20130122/71c1055a/attachment-0001.obj>


More information about the bind10-dev mailing list