Error with DLV and slave zone

Frank Behrens frank at harz.behrens.de
Sun Aug 10 17:45:51 UTC 2008 

Hello,

again I reply to myself, because I have new information.

The short answer is: 23 (see below!)

Frank Behrens <frank at harz.behrens.de> wrote on 7 Aug 2008 12:35:
> I discovered a problem with my DLV setup - validation of non signed 
> domain names fails. The special case is, that I tried to use the DLV 
> zone information as slave to avoid additional network traffic during 
> name resolution. For my tests I configured
>  dnssec-lookaside "." trust-anchor "dnssec.iks-jena.de."; and
> zone "dnssec.iks-jena.de" {
>         type slave;
> 	...
> Zone transfer for this zone and lookups for zone data are working 
> well. I use bind 9.4.2-P1.
>...
> What happened you see in the log:
> validating @0x91f7800: www.stern.de A: starting
> validating @0x91f7800: www.stern.de A: looking for DLV
> validating @0x91f7800: www.stern.de A: plain DNSSEC returns unsecure (.): looking for DLV
> validating @0x91f7800: www.stern.de A: looking for DLV www.stern.de.dnssec.iks-jena.de
> validating @0x91f7800: www.stern.de A: looking for DLV stern.de.dnssec.iks-jena.de
> validating @0x91f7800: www.stern.de A: looking for DLV de.dnssec.iks-jena.de
> validating @0x91f7800: www.stern.de A: DLV lookup: empty name
> validator @0x91f7800: dns_validator_destroy

IMHO the "empty name" is not expected by the validator and a SERVFAIL 
error is generated. The following patch is a wild hack and I'm sure 
that it is not the right solution. But it solves the problem and may 
point you into the right direction:

--- lib/dns/validator.c.orig	2008-08-08 18:17:18.971432000 +0200
+++ lib/dns/validator.c	2008-08-10 19:14:18.743667647 +0200
@@ -2441,7 +2441,7 @@ finddlvsep(dns_validator_t *val, isc_boo
 			dns_rdataset_clone(&val->frdataset, &val->dlv);
 			return (ISC_R_SUCCESS);
 		}
-		if (result == ISC_R_NOTFOUND) {
+		if (result == ISC_R_NOTFOUND && result != 23) {
 			result = create_fetch(val, dlvname, dns_rdatatype_dlv,
 					      dlvfetched, "finddlvsep");
 			if (result != ISC_R_SUCCESS)
@@ -2450,6 +2450,7 @@ finddlvsep(dns_validator_t *val, isc_boo
 		}
 		if (result != DNS_R_NXRRSET &&
 		    result != DNS_R_NXDOMAIN &&
+		    result != 23 &&
 		    result != DNS_R_NCACHENXRRSET &&
 		    result != DNS_R_NCACHENXDOMAIN)
 			return (result);


Can anybody who has knowledge about the validator make a comment?
Thank you!
   Frank

-- 
Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.

More information about the bind-users mailing list