Opened 8 years ago

Closed 8 years ago

#1836 closed defect (fixed)

delegation + DO often results in exception->SERVFAIL

Reported by: jinmei Owned by: jinmei
Priority: high Milestone: Sprint-20120403
Component: b10-auth Version:
Keywords: Cc:
CVSS Scoring: Parent Tickets:
Sensitive: no Defect Severity: N/A
Sub-Project: DNS Feature Depending on Ticket:
Estimated Difficulty: 3 Add Hours to Ticket: 0
Total Hours: 1 Internal?: no


I've noticed b10-auth returns SERVFAIL when delegation to a child zone
is expected if the query has DO bit on and it's not a secure
delegation (including the case where parent zone isn't signed at all).

It's due to this:

Query::addDS(ZoneFinder& finder, const Name& dname) {
    ConstZoneFinderContextPtr ds_context =
        finder.find(dname, RRType::DS(), dnssec_opt_);
    if (ds_context->code == ZoneFinder::SUCCESS) {
    } else if (ds_context->code == ZoneFinder::NXRRSET &&
               ds_context->isNSECSigned()) {
        addNXRRsetProof(finder, *ds_context);
    } else if (ds_context->code == ZoneFinder::NXRRSET &&
               ds_context->isNSEC3Signed()) {
        // Add no DS proof with NSEC3 as specified in RFC 5155 Section 7.2.7.
        addClosestEncloserProof(finder, dname, true);
    } else {
        // Any other case should be an error
        isc_throw(BadDS, "Unexpected result for DS lookup for delegation");

I think it's pretty critical because many deployed resolvers set the
DO bit by default, while many zones are actually not even signed at
all. Also, it should be easy to fix (one line patch + test
adjustments, I guess), so I propose this to be included in the current

(But for now I'm pushing it to the next-sprint-proposed queue)


Change History (8)

comment:1 Changed 8 years ago by jinmei

  • Milestone changed from Next-Sprint-Proposed to Sprint-20120403

comment:2 Changed 8 years ago by jinmei

  • Owner set to jinmei
  • Status changed from new to accepted

comment:3 Changed 8 years ago by jinmei

trac1836 is ready for review. I believe it should be pretty

Proposed changelog entry:

410.?	[bug]		jinmei
	b10-auth now correctly handles delegation from an unsigned zone
	(defined in the in-memory data source) when the query has DNSSEC
	DO bit on.  It previously returned SERVFAIL.
	(Trac #1836, git TBD)

comment:4 Changed 8 years ago by jinmei

  • Owner changed from jinmei to UnAssigned
  • Status changed from accepted to reviewing

comment:5 Changed 8 years ago by jelte

  • Owner changed from UnAssigned to jelte

comment:6 follow-up: Changed 8 years ago by jelte

  • Owner changed from jelte to jinmei

looks good, please merge

comment:7 in reply to: ↑ 6 Changed 8 years ago by jinmei

Replying to jelte:

looks good, please merge

Thanks, merge done, closing.

Giving an estimation of 3.

comment:8 Changed 8 years ago by jinmei

  • Estimated Difficulty changed from 0 to 3
  • Resolution set to fixed
  • Status changed from reviewing to closed
  • Total Hours changed from 0 to 1
Note: See TracTickets for help on using tickets.