Opened 7 years ago

Closed 7 years ago

#2659 closed defect (fixed)

handle empty-nonterminal name with opt-outed NSEC3

Reported by: jinmei Owned by: jinmei
Priority: medium Milestone: Sprint-20130219
Component: b10-auth Version:
Keywords: Cc:
CVSS Scoring: Parent Tickets:
Sensitive: no Defect Severity: N/A
Sub-Project: DNS Feature Depending on Ticket:
Estimated Difficulty: 2 Add Hours to Ticket: 0
Total Hours: 1.8 Internal?: no

Description

See the discussion at bind10-dev
https://lists.isc.org/pipermail/bind10-dev/2013-January/004279.html

An errata about the spec was submitted, which seems to be based on
the consensus of the dnsext wg:
https://lists.isc.org/pipermail/bind10-dev/2013-January/004279.html
We should implement it.

Specifically we should change the Query::addNSEC3ForName method of
b10-auth. BIND 9 has code handling opt-out in
bin/named/query.c:query_findclosestnsec3(). It's probably better to
check it. We should probably also have to check why we didn't
implement it that way in our first implementation as this behavior gap
may mean we overlooked some other things.

Subtickets

Change History (9)

comment:1 Changed 7 years ago by jinmei

  • Milestone changed from Previous-Sprint-Proposed to Next-Sprint-Proposed

comment:2 Changed 7 years ago by jelte

  • Milestone changed from Next-Sprint-Proposed to Sprint-20130205
  • Priority changed from medium to low

comment:3 Changed 7 years ago by jinmei

  • Owner set to jinmei
  • Status changed from new to accepted

comment:4 Changed 7 years ago by jinmei

trac2659 is ready for review.

I've re-read the BIND 9 implementation, but was not sure how we
introduced the difference. Our findNSEC3 design is quite different
from BIND 9's underlying NSEC3 API, so we probably simply missed this
particular case.

Anyway, fixing this itself is easy, and the branch is pretty small
and (I believe) straightforward.

Proposed changelog entry:

564.?	[bug]		jinmei
	b10-auth now returns closest encloser NSEC3 proof to queries for
	an empty non terminal derived from an Opt-Out NSEC RR, as clarified
	in errata 3441 for RFC5155.  Previously it regarded such case as
	broken zone and returned SERVFAIL.
	(Trac #2659, git TBD)

p.s. I guess a similar issue exits for empty non terminal wildcard,
I was not sure whether but the dnsext discussion covered that topic.
I plan to ask about it at dnsext, but in any case I suggest excluding
it from this task; even if it was also clarified in the discussion, it
will be highly rare in practice so it should be okay to fix it
separately and later.

comment:5 Changed 7 years ago by jinmei

  • Owner changed from jinmei to UnAssigned
  • Status changed from accepted to reviewing

comment:6 Changed 7 years ago by jinmei

  • Priority changed from low to medium

comment:7 follow-up: Changed 7 years ago by jelte

  • Owner changed from UnAssigned to jinmei

i had a slight worry that this would reverse the problem and not work for the non-delegation ENT, but exact_ok is set, so it looks OK

quick, merge it! :)

comment:8 in reply to: ↑ 7 Changed 7 years ago by jinmei

Replying to jelte:

i had a slight worry that this would reverse the problem and not work for the non-delegation ENT, but exact_ok is set, so it looks OK

quick, merge it! :)

Thanks, merge done, closing.

comment:9 Changed 7 years ago by jinmei

  • Estimated Difficulty changed from 0 to 2
  • Resolution set to fixed
  • Status changed from reviewing to closed
  • Total Hours changed from 0 to 1.8

(also giving an estimation of 2 in retrospect)

Note: See TracTickets for help on using tickets.