BIND 10 #2503: Problem in inmem NSEC3 denial of existence handling

BIND 10 Development do-not-reply at isc.org
Thu Nov 22 21:50:56 UTC 2012 

#2503: Problem in inmem NSEC3 denial of existence handling
-------------------------------------+-------------------------------------
            Reporter:  jelte         |                        Owner:
                Type:  defect        |                       Status:  new
            Priority:  medium        |                    Milestone:  New
           Component:  data source   |  Tasks
           Sensitive:  0             |                     Keywords:
         Sub-Project:  DNS           |              Defect Severity:  N/A
Estimated Difficulty:  0             |  Feature Depending on Ticket:
         Total Hours:  0             |          Add Hours to Ticket:  0
                                     |                    Internal?:  0
-------------------------------------+-------------------------------------
 Granted, my zone is somewhat artificial; is only has a few records, but
 more importantly, it only has 1 name.

 So it also only has 1 nsec3 record, and that apparently causes some
 problems.

 the zone is ok.ok.ok.ok.nsec3.tjeb.nl, and transfering it gives the
 following data:
 {{{
 ok.ok.ok.ok.nsec3.tjeb.nl.      600     IN      SOA     ns2.tjeb.nl.
 tjeb.tjeb.nl. 2005080901 28800 7200 604800 18000
 ok.ok.ok.ok.nsec3.tjeb.nl.      600     IN      A       178.18.82.80
 ok.ok.ok.ok.nsec3.tjeb.nl.      3600    IN      DNSKEY  256 3 7
 AwEAAcVaFlRylmfW8CiGTWpSvom6cxuqsEJeteXR+YrCrCuriTu8P6ou/43/db9ooybB62JuREvoosmjtf0i7tZIAUFh87c1+3JTdra+W4WcCNYNEZW1I41J/OjMEOwKVxH2V1GgZGThrNgvZj7xqeusG2fP0DScDO3/gBr9PJGi9JTD
 ;{id = 56765 (zsk), size = 1024b}
 ok.ok.ok.ok.nsec3.tjeb.nl.      600     IN      NS      ns2.tjeb.nl.
 ok.ok.ok.ok.nsec3.tjeb.nl.      3600    IN      NSEC3PARAM      1 0 5 beef
 ok.ok.ok.ok.nsec3.tjeb.nl.      600     IN      RRSIG   SOA 7 7 600
 20150101000000 20110520094818 56765 ok.ok.ok.ok.nsec3.tjeb.nl.
 S7kx8CgkvczbZzJRzG9JiUa5JdEwPdJCniVPcCqUfQVbF6Lfe/iPbLBBguWZJDcPNCm1txvzz8tuYf0z2dziAxQefWPnh7Y1ABZSft1X19L9kz6QGcsxcAvw039t3aX8fyTmiAU1nUthj5u6UdUqGVdxla4RdpipfN2zXNAJ64E=
 ok.ok.ok.ok.nsec3.tjeb.nl.      600     IN      RRSIG   A 7 7 600
 20150101000000 20110520094818 56765 ok.ok.ok.ok.nsec3.tjeb.nl.
 TrBhFbKGkp427sPnhtT9andQlnfKjY9DE8U++rdbXfY30aKssN/Mb/M0HK+RBlBDUsL9YbkG6XU345zkIWBIqxHBf0wJuVd3vYggDikyNhrtGtS0sJCHKrX/Im5gMVWeN6m47Mp8LWK2yFJeOdGEn5BLfyhnPpYO4/te52FyboI=
 ok.ok.ok.ok.nsec3.tjeb.nl.      600     IN      RRSIG   NS 7 7 600
 20150101000000 20110520094818 56765 ok.ok.ok.ok.nsec3.tjeb.nl.
 YcTwEpjPxxDyM+d0hG3pfYavfbOKFxUqY0jyZ3dcns5uEelmgi/7D5yGbE8Dq0OzWFyR5sjBf4+7WGqNJwY+fSmbXOzaqfmVMtSC3R068GDd6NrXs4WfrjfYOeajwCuseB3L89fofy/7EfJbcQVA7JUEBjPBH2RXu8dgXNuLghk=
 ok.ok.ok.ok.nsec3.tjeb.nl.      3600    IN      RRSIG   DNSKEY 7 7 3600
 20150101000000 20110520094818 56765 ok.ok.ok.ok.nsec3.tjeb.nl.
 ZcJ1DpuiJfisbYu/24q1EC1IwP6j0TDPcxFMNHUeU7m0N0lAgk2S0tM//qhMPkBygN3VgHa9yhnxhIvct3amBxTZh9VcFz66vMmzCuEpWPB3aHRPIhltUGDNGi8H6UtUmX/RKuX23WloaG9Wnh8FBX0RJKkW6R3JLgWD4EJkF78=
 ok.ok.ok.ok.nsec3.tjeb.nl.      3600    IN      RRSIG   NSEC3PARAM 7 7
 3600 20150101000000 20110520094818 56765 ok.ok.ok.ok.nsec3.tjeb.nl.
 QhxpZzlG8/NUvZXzgGOzKeJCir+58m/rlZn3IARO54XXtzfd6fNSJHT+SMpD2PdzonblqhUqbqxucQNpjuVxIocIUIAcCj2F0K1oxxknIFr/j+XIaB4plsrRH7yPUYnym6xAUMcQRxob5FjYYc2vXjHRHF8M0qeEjyrNP8m7keU=
 tv3jp54nve7jfnhvba54uc031shjv2d3.ok.ok.ok.ok.nsec3.tjeb.nl.     18000   IN
 NSEC3   1 0 5 beef  tv3jp54nve7jfnhvba54uc031shjv2d3 A NS SOA RRSIG DNSKEY
 NSEC3PARAM
 tv3jp54nve7jfnhvba54uc031shjv2d3.ok.ok.ok.ok.nsec3.tjeb.nl.     18000   IN
 RRSIG   NSEC3 7 8 18000 20150101000000 20110520094818 56765
 ok.ok.ok.ok.nsec3.tjeb.nl.
 p7WlTLC3CatciKMkDNvXeKCXCNHstR2c/Mu62EXBHL1jrNuSx1S8crOGYFzELNtSA7paTO6/Uc8U7xRdf3IUb517obQCEVrpPyp4YTxlg8YwgAe5azklW11aYkW4E/nqsXUQnWieiuEWwTPYdVZLnrnu7NxH+IA+uGHHP689xPY=
 ok.ok.ok.ok.nsec3.tjeb.nl.      600     IN      SOA     ns2.tjeb.nl.
 tjeb.tjeb.nl. 2005080901 28800 7200 604800 18000
 }}}

 Normal digs/drills for this data work, but for an NXDOMAIN or
 NOERROR/NODATA, it returns SERVFAIL.

 The output log shows:
 {{{
 2012-11-22 22:25:00.912 ERROR [b10-auth.auth] AUTH_PROCESS_FAIL message
 processing failure: findNSEC3 attempt but zone has no NSEC3 RRs:
 ok.ok.ok.ok.nsec3.tjeb.nl./IN
 }}}

 note, this exception text occurs twice, I've confirmed it is the second
 case (trying to find origin node); loading itself works fine:

 {{{
 2012-11-22 22:32:12.642 DEBUG [b10-auth.datasrc_memory]
 DATASRC_MEMORY_MEM_LOAD loading zone 'ok.ok.ok.ok.nsec3.tjeb.nl.' from
 file 'ok.ok.ok.ok.nsec3.tjeb.nl.'
 2012-11-22 22:32:12.643 DEBUG [b10-auth.datasrc_memory]
 DATASRC_MEMORY_MEM_ADD_RRSET adding RRset 'ok.ok.ok.ok.nsec3.tjeb.nl./A'
 into zone 'ok.ok.ok.ok.nsec3.tjeb.nl.'
 2012-11-22 22:32:12.643 DEBUG [b10-auth.datasrc_memory]
 DATASRC_MEMORY_MEM_ADD_RRSET adding RRset 'ok.ok.ok.ok.nsec3.tjeb.nl./NS'
 into zone 'ok.ok.ok.ok.nsec3.tjeb.nl.'
 2012-11-22 22:32:12.643 DEBUG [b10-auth.datasrc_memory]
 DATASRC_MEMORY_MEM_ADD_RRSET adding RRset 'ok.ok.ok.ok.nsec3.tjeb.nl./SOA'
 into zone 'ok.ok.ok.ok.nsec3.tjeb.nl.'
 2012-11-22 22:32:12.643 DEBUG [b10-auth.datasrc_memory]
 DATASRC_MEMORY_MEM_ADD_RRSET adding RRset
 'ok.ok.ok.ok.nsec3.tjeb.nl./DNSKEY' into zone 'ok.ok.ok.ok.nsec3.tjeb.nl.'
 2012-11-22 22:32:12.643 DEBUG [b10-auth.datasrc_memory]
 DATASRC_MEMORY_MEM_ADD_RRSET adding RRset
 'ok.ok.ok.ok.nsec3.tjeb.nl./NSEC3PARAM' into zone
 'ok.ok.ok.ok.nsec3.tjeb.nl.'
 2012-11-22 22:32:12.643 DEBUG [b10-auth.datasrc_memory]
 DATASRC_MEMORY_MEM_ADD_RRSET adding RRset
 'tv3jp54nve7jfnhvba54uc031shjv2d3.ok.ok.ok.ok.nsec3.tjeb.nl./NSEC3' into
 zone 'ok.ok.ok.ok.nsec3.tjeb.nl.'
 2012-11-22 22:32:12.643 DEBUG [b10-auth.datasrc_memory]
 DATASRC_MEMORY_MEM_ADD_ZONE adding zone 'ok.ok.ok.ok.nsec3.tjeb.nl./IN'
 }}}

 Is the problem simply that it cannot handle an NSEC3 that loops to itself?

-- 
Ticket URL: <http://bind10.isc.org/ticket/2503>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list