BIND 10 #1836: delegation + DO often results in exception->SERVFAIL

BIND 10 Development do-not-reply at isc.org
Mon Mar 26 07:46:11 UTC 2012 

#1836: delegation + DO often results in exception->SERVFAIL
-------------------------------------+-------------------------------------
            Reporter:  jinmei        |                        Owner:
                Type:  defect        |                       Status:  new
            Priority:  high          |                    Milestone:  Next-
           Component:  b10-auth      |  Sprint-Proposed
           Sensitive:  0             |                     Keywords:
         Sub-Project:  DNS           |              Defect Severity:  N/A
Estimated Difficulty:  0             |  Feature Depending on Ticket:
         Total Hours:  0             |          Add Hours to Ticket:  0
                                     |                    Internal?:  0
-------------------------------------+-------------------------------------
 I've noticed b10-auth returns SERVFAIL when delegation to a child zone
 is expected if the query has DO bit on and it's not a secure
 delegation (including the case where parent zone isn't signed at all).

 It's due to this:

 {{{#!c++
 void
 Query::addDS(ZoneFinder& finder, const Name& dname) {
     ConstZoneFinderContextPtr ds_context =
         finder.find(dname, RRType::DS(), dnssec_opt_);
     if (ds_context->code == ZoneFinder::SUCCESS) {
         authorities_.push_back(ds_context->rrset);
     } else if (ds_context->code == ZoneFinder::NXRRSET &&
                ds_context->isNSECSigned()) {
         addNXRRsetProof(finder, *ds_context);
     } else if (ds_context->code == ZoneFinder::NXRRSET &&
                ds_context->isNSEC3Signed()) {
         // Add no DS proof with NSEC3 as specified in RFC 5155 Section
 7.2.7.
         addClosestEncloserProof(finder, dname, true);
     } else {
         // Any other case should be an error
         isc_throw(BadDS, "Unexpected result for DS lookup for
 delegation");
     }
 }
 }}}

 I think it's pretty critical because many deployed resolvers set the
 DO bit by default, while many zones are actually not even signed at
 all.  Also, it should be easy to fix (one line patch + test
 adjustments, I guess), so I propose this to be included in the current
 sprint.

 (But for now I'm pushing it to the next-sprint-proposed queue)

-- 
Ticket URL: <http://bind10.isc.org/ticket/1836>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list