[bind10-dev] bind10-1.0.0-beta auth server answers SERVFAIL for an empty non-terminal due to "Unexpected covering NSEC3 found" error
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Wed Jan 23 19:21:45 UTC 2013
At Wed, 23 Jan 2013 03:29:34 +0900 (JST),
fujiwara at jprs.co.jp wrote:
> I missed to write DO=0 and DO=1 difference.
>
> DO=0 case, BIND 10 answers empty, no error. (correct answer)
> DO=1, BIND 10 answers SERVFAIL and shows the error message.
>
> It is strange for users.
As a general matter I suspect it's inevitable. After all, these are
different operations (DO value is different) so the querier needs to
expect different results anyway. In fact, that could happen, e.g., in
the case of run time NSEC3 collision as described in 7.2.9 of RFC5155
(even if it should be unlikely). So, simply because different results
are returned to *different nature of queries* doesn't seem to
immediately support the argument for making them the same.
But, in this specific case, I tend to agree with behaving as BIND 9
does for a different reason.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
More information about the bind10-dev
mailing list