Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled

Mark Andrews marka at isc.org
Thu Apr 15 03:20:39 UTC 2010 

In message <20100414232855.GP1547 at giles.gnomon.org.uk>, Roy Badami writes:
> > Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and
> > I've seen no repeat of the DNSSEC name resolution issues so far; it's
> > early days yet (only been running DLV for three days) but certainly
> > looking promissing.
> 
> I spoke too soon.  I've now found a query that (at least this evening)
> is consistently failing for me, even if I restart BIND.
> 
> The following query gives me SERVFAIL
> 
>   	dig www.bbc.net.uk aaaa
> 
> But the following two queries work:
> 
> 	dig www.bbc.net.uk a
>     	dig www.bbc.net.uk aaaa +cd
> 
> This is particularly odd, because there is absolutely no DNSSEC
> involved here.

Actually there *is* DNSSEC involved or the query would not have
failed.  There is a bug in the BIND 9.7.0-P1 fixes that triggers
this.  The fix below is in review at the moment.

Mark

Index: bind9/lib/dns/validator.c
diff -u bind9/lib/dns/validator.c:1.188 bind9/lib/dns/validator.c:1.188.4.4
--- bind9/lib/dns/validator.c:1.188	Fri Mar 26 17:12:48 2010
+++ bind9/lib/dns/validator.c	Tue Apr 13 08:31:11 2010
@@ -2990,7 +2990,7 @@
 		return (ISC_R_SUCCESS);
 	}
 
-	if (val->authcount == val->authfail)
+	if (val->authfail != 0 && val->authcount == val->authfail)
 		return (DNS_R_BROKENCHAIN);
 	validator_log(val, ISC_LOG_DEBUG(3),
 		      "nonexistence proof(s) not found");

 /*%

> No domain above www.bbc.net.uk appears to be in the
> DLV registry, and BIND must be able to successfully verify the
> covering NSEC record that proves that in order to be willing to
> resolve the A query above.  So I can't immediately see any way this
> situation could arise except due to a BIND bug.
> 
> Anyone else have an IPv6-connected BIND 9.7.0-P1 host with DLV enabled
> they can try this query on?
> 
>     -roy
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list