Re: Error with DLV and slave zone

Sun, 10 Aug 2008 10:47:59 -0700 

Hello,

again I reply to myself, because I have new information.

The short answer is: 23 (see below!)

Frank Behrens <[EMAIL PROTECTED]> wrote on 7 Aug 2008 12:35:
> I discovered a problem with my DLV setup - validation of non signed 
> domain names fails. The special case is, that I tried to use the DLV 
> zone information as slave to avoid additional network traffic during 
> name resolution. For my tests I configured
>  dnssec-lookaside "." trust-anchor "dnssec.iks-jena.de."; and
> zone "dnssec.iks-jena.de" {
>         type slave;
>       ...
> Zone transfer for this zone and lookups for zone data are working 
> well. I use bind 9.4.2-P1.
>...
> What happened you see in the log:
> validating @0x91f7800: www.stern.de A: starting
> validating @0x91f7800: www.stern.de A: looking for DLV
> validating @0x91f7800: www.stern.de A: plain DNSSEC returns unsecure (.): 
> looking for DLV
> validating @0x91f7800: www.stern.de A: looking for DLV 
> www.stern.de.dnssec.iks-jena.de
> validating @0x91f7800: www.stern.de A: looking for DLV 
> stern.de.dnssec.iks-jena.de
> validating @0x91f7800: www.stern.de A: looking for DLV de.dnssec.iks-jena.de
> validating @0x91f7800: www.stern.de A: DLV lookup: empty name
> validator @0x91f7800: dns_validator_destroy

IMHO the "empty name" is not expected by the validator and a SERVFAIL 
error is generated. The following patch is a wild hack and I'm sure 
that it is not the right solution. But it solves the problem and may 
point you into the right direction:

--- lib/dns/validator.c.orig    2008-08-08 18:17:18.971432000 +0200
+++ lib/dns/validator.c 2008-08-10 19:14:18.743667647 +0200
@@ -2441,7 +2441,7 @@ finddlvsep(dns_validator_t *val, isc_boo
                        dns_rdataset_clone(&val->frdataset, &val->dlv);
                        return (ISC_R_SUCCESS);
                }
-               if (result == ISC_R_NOTFOUND) {
+               if (result == ISC_R_NOTFOUND && result != 23) {
                        result = create_fetch(val, dlvname, dns_rdatatype_dlv,
                                              dlvfetched, "finddlvsep");
                        if (result != ISC_R_SUCCESS)
@@ -2450,6 +2450,7 @@ finddlvsep(dns_validator_t *val, isc_boo
                }
                if (result != DNS_R_NXRRSET &&
                    result != DNS_R_NXDOMAIN &&
+                   result != 23 &&
                    result != DNS_R_NCACHENXRRSET &&
                    result != DNS_R_NCACHENXDOMAIN)
                        return (result);


Can anybody who has knowledge about the validator make a comment?
Thank you!
   Frank

-- 
Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.

Reply via email to