Opened 10 years ago

Closed 10 years ago

#74 closed defect (fixed)

auth server doesn't handle NSEC query at a zone cut correctly

Reported by: jinmei Owned by: jinmei
Priority: medium Milestone: 03. 1st Incremental Release
Component: Unclassified Version:
Keywords: Cc:
CVSS Scoring: Parent Tickets:
Sensitive: no Defect Severity:
Sub-Project: Feature Depending on Ticket:
Estimated Difficulty: Add Hours to Ticket:
Total Hours: Internal?:

Description

(see also ticket #73)

If you have these in the "jinmei.org" zone:

sec.jinmei.org. 600 IN NS ns.sec.jinmei.org.

1200 NSEC short.jinmei.org. NS RRSIG NSEC

The BIND10 auth server responds to sec.jinmei.org/NSEC with the following:

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;sec.jinmei.org. IN NSEC
;; AUTHORITY SECTION:
sec.jinmei.org. 600 IN NS ns.sec.jinmei.org.

This is incorrect. It should return the NSEC RR(set) with setting AA.

Subtickets

Change History (6)

comment:1 Changed 10 years ago by each

  • Resolution set to fixed
  • Status changed from new to closed

Addressed in r1329, and unit test added.

comment:2 Changed 10 years ago by jinmei

  • Resolution fixed deleted
  • Status changed from closed to reopened

I'm afraid this fix is incomplete. Consider this delegation setup:

nosecdelegation.jinmei.org. 3600 IN NS ns.nosecdelegation.jinmei.org.
ns.nosecdelegation.jinmei.org. 3600 IN A 192.0.2.1
(no NSEC)

If you send a query for nosecdelegation.jinmei.org./NSEC, the BIND10 auth server returns NOERROR+empty answer with AA being set. This is incorrect. It should simply return a referrral in this case.

Reopening the ticket.

comment:3 Changed 10 years ago by jinmei

  • Status changed from reopened to assigned

comment:4 Changed 10 years ago by jinmei

I've added a test case for this (currently fails as pointed out, so disabled). See DataSrcTest?.NSECZonecutOfNonsecureZone (r1391)

comment:5 follow-up: Changed 10 years ago by each

  • Owner changed from each to jinmei

I believe this is corrected in r1433. The unit test now passes.

comment:6 in reply to: ↑ 5 Changed 10 years ago by jinmei

  • Resolution set to fixed
  • Status changed from assigned to closed

Replying to each:

I believe this is corrected in r1433. The unit test now passes.

Yes, r1433 seems to fix the problem. I'm not sure if this is an appropriate fix, though. The code logic is now getting more and more counter intuitive - I suspect it's difficult for other developers to understand why we need these tricky conditions. See also my comment on ticket #70 (http://bind10.isc.org/ticket/70#comment:12).

But I'm okay with closing this ticket for now.

Note: See TracTickets for help on using tickets.