[bind10-dev] bind10-1.0.0-beta auth server answers SERVFAIL for an empty non-terminal due to "Unexpected covering NSEC3 found" error

[fujiwara at jprs.co.jp]

> From: JINMEI Tatuya / 神明達哉 <jinmei at isc.org>
> At Tue, 22 Jan 2013 12:07:59 +0100,
> Jelte Jansen <jelte at isc.org> wrote:
> 
>> > ERROR [b10-auth.auth/80537] AUTH_PROCESS_FAIL message processing
>> > failure: Unexpected covering NSEC3 found for c.c.tld.
>> > 
>> > BIND 9 answers empty, NO ERROR answer.
> 
> [...]
> 
>> Depending on what the errata will end up as, the fix may be 'works
>> according to spec', easy (treat it the same as DS no data proof), or
>> more involved (if we actually have to dive into the data below the ENT
>> to see what is there)... I'm not entirely sure how we should behave in
>> the mean time.
> 
> In any case we probably overlooked something in implementing it as
> we generally tried to port BIND's behavior for NSEC/NSEC3 handling.
> I've not yet checked whether the errata discussion at dnsext affects
> this case and (if it does) when it's sorted out, but unless it's fixed
> by the next sprint I think we should make it compatible with BIND 9 in
> the next sprint.

The qname is OPT-Outed empty non-terminal and it is reported errata.
# Jelte pointed dnsext thread, and it has reported to errata database.
#  http://www.rfc-editor.org/errata_search.php?eid=3441

I missed to write DO=0 and DO=1 difference.

DO=0 case, BIND 10 answers empty, no error.   (correct answer)
DO=1,      BIND 10 answers SERVFAIL and shows the error message.

It is strange for users.

--
Kazunori Fujiwara, JPRS <fujiwara at jprs.co.jp>