Error with DLV and slave zone
Frank Behrens
frank at harz.behrens.de
Sun Aug 10 17:45:51 UTC 2008
Hello,
again I reply to myself, because I have new information.
The short answer is: 23 (see below!)
Frank Behrens <frank at harz.behrens.de> wrote on 7 Aug 2008 12:35:
> I discovered a problem with my DLV setup - validation of non signed
> domain names fails. The special case is, that I tried to use the DLV
> zone information as slave to avoid additional network traffic during
> name resolution. For my tests I configured
> dnssec-lookaside "." trust-anchor "dnssec.iks-jena.de."; and
> zone "dnssec.iks-jena.de" {
> type slave;
> ...
> Zone transfer for this zone and lookups for zone data are working
> well. I use bind 9.4.2-P1.
>...
> What happened you see in the log:
> validating @0x91f7800: www.stern.de A: starting
> validating @0x91f7800: www.stern.de A: looking for DLV
> validating @0x91f7800: www.stern.de A: plain DNSSEC returns unsecure (.): looking for DLV
> validating @0x91f7800: www.stern.de A: looking for DLV www.stern.de.dnssec.iks-jena.de
> validating @0x91f7800: www.stern.de A: looking for DLV stern.de.dnssec.iks-jena.de
> validating @0x91f7800: www.stern.de A: looking for DLV de.dnssec.iks-jena.de
> validating @0x91f7800: www.stern.de A: DLV lookup: empty name
> validator @0x91f7800: dns_validator_destroy
IMHO the "empty name" is not expected by the validator and a SERVFAIL
error is generated. The following patch is a wild hack and I'm sure
that it is not the right solution. But it solves the problem and may
point you into the right direction:
--- lib/dns/validator.c.orig 2008-08-08 18:17:18.971432000 +0200
+++ lib/dns/validator.c 2008-08-10 19:14:18.743667647 +0200
@@ -2441,7 +2441,7 @@ finddlvsep(dns_validator_t *val, isc_boo
dns_rdataset_clone(&val->frdataset, &val->dlv);
return (ISC_R_SUCCESS);
}
- if (result == ISC_R_NOTFOUND) {
+ if (result == ISC_R_NOTFOUND && result != 23) {
result = create_fetch(val, dlvname, dns_rdatatype_dlv,
dlvfetched, "finddlvsep");
if (result != ISC_R_SUCCESS)
@@ -2450,6 +2450,7 @@ finddlvsep(dns_validator_t *val, isc_boo
}
if (result != DNS_R_NXRRSET &&
result != DNS_R_NXDOMAIN &&
+ result != 23 &&
result != DNS_R_NCACHENXRRSET &&
result != DNS_R_NCACHENXDOMAIN)
return (result);
Can anybody who has knowledge about the validator make a comment?
Thank you!
Frank
--
Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.
More information about the bind-users
mailing list