[bind10-dev] bind10-1.0.0-beta auth server answers SERVFAIL for an empty non-terminal due to "Unexpected covering NSEC3 found" error

Michal 'vorner' Vaner michal.vaner at nic.cz
Thu Jan 24 12:16:05 UTC 2013 

Hello

On Wed, Jan 23, 2013 at 11:12:07AM -0800, JINMEI Tatuya / 神明達哉 wrote:
> First, as Fujiwara-san already pointed out an errata on this was
> already submitted: http://www.rfc-editor.org/errata_search.php?rfc=5155&eid=3441
> and, according to the discussion at dnsext this generally seems to be
> based on the wg consensus.  So "what to do" now seems pretty clear to
> me: correct it as the errata says.  And, if I understand it correctly,
> it also happens to be the same as BIND 9's behavior.

Oh. In that case, it's slightly different story. That's a better reason than the
compatibility with bind9 for me.

> The urgency can be discussed.  Whether it's SERVFAIL or normal
> negative response with NSEC3 as the errata specifies, the end result
> of the caching (validating) server and the ultimate client wouldn't be
> much different (the proof with NSEC3 is quite weak in this case
> anyway).  And, it's not a bug like ones making b10-auth crash.
> But, hitting an exception with a validly constructed zone and a valid
> query is not really good, considering the cost of exception handling,
> so I personally think it's better to fix sooner.  Assuming we have
> another sprint between a release candidate and the real release,
> there's a chance to fix it in the release version if we do it in the
> next spring.  I think it's worth doing.

I don't know. Jelte seemed to suggest the problem is not so easy to fix. I have
no idea how long it can take.

I don't want to say we should not fix it soon, but I don't thing the exceptions
are that much performance problematic. Compared with several allocations of many
objects, some mutexes and many virtual-method calls during the processing, a
single exception doesn't seem to be that important. I'm not claiming that
there's no performance hit with exceptions, just that I don't believe they are
that much bad without seeing some hard numbers.

With regards

-- 
When all else fails, EAT!!!

Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20130124/b5b1d1f4/attachment.bin>

More information about the bind10-dev mailing list