BIND 10 #2503: Problem in inmem NSEC3 denial of existence handling

BIND 10 Development do-not-reply at isc.org
Fri Nov 23 15:25:20 UTC 2012 

#2503: Problem in inmem NSEC3 denial of existence handling
-------------------------------------+-------------------------------------
                   Reporter:  jelte  |                 Owner:
                       Type:         |                Status:  new
  defect                             |             Milestone:  New Tasks
                   Priority:         |            Resolution:
  medium                             |             Sensitive:  0
                  Component:  data   |           Sub-Project:  DNS
  source                             |  Estimated Difficulty:  0
                   Keywords:         |           Total Hours:  0
            Defect Severity:  N/A    |
Feature Depending on Ticket:         |
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------

Comment (by jinmei):

 Replying to [ticket:2503 jelte]:

 > Normal digs/drills for this data work, but for an NXDOMAIN or
 NOERROR/NODATA, it returns SERVFAIL.
 >
 > The output log shows:
 > {{{
 > 2012-11-22 22:25:00.912 ERROR [b10-auth.auth] AUTH_PROCESS_FAIL message
 processing failure: findNSEC3 attempt but zone has no NSEC3 RRs:
 ok.ok.ok.ok.nsec3.tjeb.nl./IN
 > }}}
 >
 > note, this exception text occurs twice, I've confirmed it is the second
 case (trying to find origin node); loading itself works fine:

 And I suspect the second one is a copy-paste bug.  In any case the
 message isn't really helpful in diagnose.

 In this setup the NSEC3 domain tree has only one node for the owner
 name of the only NSEC3 RR, so find(origin) wouldn't return an EXACTMATCH
 as
 the code expects:
 {{{#!cpp
     ZoneTree::Result result =
          tree.find<void*>(origin_ls, &node, orig_chain, NULL, NULL);
     if (result != ZoneTree::EXACTMATCH) {
         // If the origin node doesn't exist, simply fail.
         isc_throw(DataSourceError,
                   "findNSEC3 attempt but zone has no NSEC3 RRs: " <<
                   origin_ls << "/" << getClass());
     }
 }}}

 Normally we have more than one NSEC3 RRs of different owner names
 (different hashes), so the tree has an (empty) node for the origin
 name.

 I think what we should do is to explicitly insert the origin name to
 the nsec3 tree, just like we do so for the normal zone tree.

-- 
Ticket URL: <http://bind10.isc.org/ticket/2503#comment:1>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list