[bind10-dev] bind10-1.0.0-beta auth server answers SERVFAIL for an empty non-terminal due to "Unexpected covering NSEC3 found" error

[Mark Andrews]

In message <20130123082600.GA22885 at hydra>, Michal 'vorner' Vaner writes:
> 
> Hello
> 
> On Tue, Jan 22, 2013 at 09:23:50AM -0800, JINMEI Tatuya / =E7=A5=9E=E6=98=
> =8E=E9=81=94=E5=93=89 wrote:
> > In any case we probably overlooked something in implementing it as
> > we generally tried to port BIND's behavior for NSEC/NSEC3 handling.
> > I've not yet checked whether the errata discussion at dnsext affects
> > this case and (if it does) when it's sorted out, but unless it's fixed
> > by the next sprint I think we should make it compatible with BIND 9 in
> > the next sprint.
> 
> I don't know if "it's compatible with bind9" is a very good reason here, 
> as we the discussion suggests, it's not clear what is correct. We have 
> many bugs for sure, and we are not sure this one is a bug, so why the 
> hurry? I could probably name 5 places where we are not acting the same as 
> bind9 without much thinking and these places would be happening more 
> often.

Well BIND9's way is the suggested fix in the errata.

http://www.ietf.org/mail-archive/web/dnsext/current/msg12865.html

Note there is no difference between DS and any other normal type other
than you may choose a parent zone to generate the response from as
the DS lives in the parent zone at a zone cut.

BIND 10, being a independent implementation, is a good tool for finding
bugs in specifications.
 
> Anyway, I suggest we create a ticket, describe the problem and note we're
> waiting for conclusion of the discussion and suggest there the zone data 
> be updated.
> 
> With regards
> 
> -- 
> ~, sweet ~
> 
> Michal 'vorner' Vaner
>  
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org