> Hello,
>
> again I reply to myself, because I have new information.
>
> The short answer is: 23 (see below!)
>
> Frank Behrens <[EMAIL PROTECTED]> wrote on 7 Aug 2008 12:35:
> > I discovered a problem with my DLV setup - validation of non signed
> > domain names fails. The special case is, that I tried to use the DLV
> > zone information as slave to avoid additional network traffic during
> > name resolution. For my tests I configured
> > dnssec-lookaside "." trust-anchor "dnssec.iks-jena.de."; and
> > zone "dnssec.iks-jena.de" {
> > type slave;
> > ...
> > Zone transfer for this zone and lookups for zone data are working
> > well. I use bind 9.4.2-P1.
> >...
> > What happened you see in the log:
> > validating @0x91f7800: www.stern.de A: starting
> > validating @0x91f7800: www.stern.de A: looking for DLV
> > validating @0x91f7800: www.stern.de A: plain DNSSEC returns unsecure (.): l
> ooking for DLV
> > validating @0x91f7800: www.stern.de A: looking for DLV www.stern.de.dnssec.
> iks-jena.de
> > validating @0x91f7800: www.stern.de A: looking for DLV stern.de.dnssec.iks-
> jena.de
> > validating @0x91f7800: www.stern.de A: looking for DLV de.dnssec.iks-jena.d
> e
> > validating @0x91f7800: www.stern.de A: DLV lookup: empty name
> > validator @0x91f7800: dns_validator_destroy
>
> IMHO the "empty name" is not expected by the validator and a SERVFAIL
> error is generated. The following patch is a wild hack and I'm sure
> that it is not the right solution. But it solves the problem and may
> point you into the right direction:
>
> --- lib/dns/validator.c.orig 2008-08-08 18:17:18.971432000 +0200
> +++ lib/dns/validator.c 2008-08-10 19:14:18.743667647 +0200
> @@ -2441,7 +2441,7 @@ finddlvsep(dns_validator_t *val, isc_boo
> dns_rdataset_clone(&val->frdataset, &val->dlv);
> return (ISC_R_SUCCESS);
> }
> - if (result == ISC_R_NOTFOUND) {
> + if (result == ISC_R_NOTFOUND && result != 23) {
> result = create_fetch(val, dlvname, dns_rdatatype_dlv,
> dlvfetched, "finddlvsep");
> if (result != ISC_R_SUCCESS)
> @@ -2450,6 +2450,7 @@ finddlvsep(dns_validator_t *val, isc_boo
> }
> if (result != DNS_R_NXRRSET &&
> result != DNS_R_NXDOMAIN &&
> + result != 23 &&
> result != DNS_R_NCACHENXRRSET &&
> result != DNS_R_NCACHENXDOMAIN)
> return (result);
>
>
> Can anybody who has knowledge about the validator make a comment?
It's clearly wrong.
> Thank you!
> Frank
The following has not been reviewed for correctness. It
treats "empty name" as NXRRSET of which "empty name" is a
special case.
Mark
Index: lib/dns/validator.c
===================================================================
RCS file: /proj/cvs/prod/bind9/lib/dns/validator.c,v
retrieving revision 1.160
diff -u -r1.160 validator.c
--- lib/dns/validator.c 19 Feb 2008 17:07:55 -0000 1.160
+++ lib/dns/validator.c 11 Aug 2008 02:46:04 -0000
@@ -939,6 +939,7 @@
} else if (result != ISC_R_SUCCESS &&
result != DNS_R_NCACHENXDOMAIN &&
result != DNS_R_NCACHENXRRSET &&
+ result != DNS_R_EMPTYNAME &&
result != DNS_R_NXRRSET &&
result != ISC_R_NOTFOUND) {
goto notfound;
@@ -1196,6 +1197,7 @@
return (DNS_R_WAIT);
} else if (result == DNS_R_NCACHENXDOMAIN ||
result == DNS_R_NCACHENXRRSET ||
+ result == DNS_R_EMPTYNAME ||
result == DNS_R_NXDOMAIN ||
result == DNS_R_NXRRSET)
{
@@ -1803,8 +1805,9 @@
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
- } else if (result == DNS_R_NCACHENXDOMAIN ||
+ } else if (result == DNS_R_NCACHENXDOMAIN ||
result == DNS_R_NCACHENXRRSET ||
+ result == DNS_R_EMPTYNAME ||
result == DNS_R_NXDOMAIN ||
result == DNS_R_NXRRSET)
{
@@ -2462,6 +2465,7 @@
}
if (result != DNS_R_NXRRSET &&
result != DNS_R_NXDOMAIN &&
+ result != DNS_R_EMPTYNAME &&
result != DNS_R_NCACHENXRRSET &&
result != DNS_R_NCACHENXDOMAIN)
return (result);
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
