[bind10-dev] bind10-1.0.0-beta auth server answers SERVFAIL for an empty non-terminal due to "Unexpected covering NSEC3 found" error

[JINMEI Tatuya / 神明達哉]

At Thu, 24 Jan 2013 13:16:05 +0100,
Michal 'vorner' Vaner <michal.vaner at nic.cz> wrote:

> > The urgency can be discussed.  Whether it's SERVFAIL or normal
> > negative response with NSEC3 as the errata specifies, the end result
> > of the caching (validating) server and the ultimate client wouldn't be
> > much different (the proof with NSEC3 is quite weak in this case
> > anyway).  And, it's not a bug like ones making b10-auth crash.
> > But, hitting an exception with a validly constructed zone and a valid
> > query is not really good, considering the cost of exception handling,
> > so I personally think it's better to fix sooner.  Assuming we have
> > another sprint between a release candidate and the real release,
> > there's a chance to fix it in the release version if we do it in the
> > next spring.  I think it's worth doing.
> 
> I don't know. Jelte seemed to suggest the problem is not so easy to fix. I have
> no idea how long it can take.

As far as I can see it's not that difficult.  As was pointed out in
the dnsext thread, this case is essentially (or in some sense) the
same for handling the non-existence of DS with (or without) optout.
We already have that code, so we can basically only apply it to the
ENT case.

When to do it may still be debatable, though.  To me, the balance of
benefit and cost-to-implement seems to good enough to do it in the
next sprint, especially if that means we can include the fix in the
final release, but it's true that this is not a bug leading to the end
of the world, so if others see more important tasks than this, it
could be deferred.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.