I confirmed the fix here ________________________________ From: Jeroen Koekkoek <jer...@nlnetlabs.nl> Sent: Wednesday, October 23, 2024 5:13 AM To: Chris LaVallee <claval...@edg.io>; nsd-users@lists.nlnetlabs.nl <nsd-users@lists.nlnetlabs.nl> Subject: Re: [nsd-users] SIGSEGV in rbtree_find_less_equal
Hi Chris, I've merged the commit that resolves the issue (https://github.com/NLnetLabs/nsd/pull/389). The next release will include it. Thanks again for reporting. Also, a statement in my previous response was incorrect. RFC 5155 says: Each empty non-terminal MUST have a corresponding NSEC3 RR, unless the empty non-terminal is only derived from an insecure delegation covered by an Opt-Out NSEC3 RR. Best regards, Jeroen On Wed, 2024-10-16 at 14:30 +0000, Chris LaVallee wrote: > > Hi Jeroen, > > > In the case that triggered this crash for us, someone typo-ed > nsd.conf by adding the zone "bar.foo.com" (which didn't exist). They > meant to add a different zone name. > > > Chris > From: Jeroen Koekkoek <jer...@nlnetlabs.nl> > Sent: Wednesday, October 16, 2024 3:18 AM > To: Chris LaVallee <claval...@edg.io>; nsd-users@lists.nlnetlabs.nl > <nsd-users@lists.nlnetlabs.nl> > Subject: Re: [nsd-users] SIGSEGV in rbtree_find_less_equal > > > > > Hi Chris, > > I've properly started looking into this yesterday. NSD definitely > shouldn't crash, still working on that. > > However, the provided zone is invalid too(?) I'm not the foremost > expert on NSEC3 (or even DNSSEC), but is seems an NSEC3 is missing > for > bar.foo.com. Empty non-terminals should still have an NSEC3 RR. > > (Of course, the delegation point should be at bar.foo.com. too and > a.bar.foo.com. is an occluded name and this situation is purely > hypothetical). > > I used the attached zone file along with the following commands to > generate a zone file to The input I used to generate: > > ldns-keygen -a 13 -k foo.com > dnssec-signzone -3 AA61D5A398769C09 -H 0 -S -A -z -o foo.com. > foo.com.zone Kfoo.com.+013+58636 > > Doesn't get me the exact the same thing, but good enough to get the > same segfault. > > - Jeroen > > > On Wed, 2024-10-09 at 13:53 +0200, Jeroen Koekkoek via nsd-users > wrote: > > Hi Chris, > > > > I can reproduce with your zone. Thanks! > > > > Best, > > Jeroen > > > > > > On Tue, 2024-10-08 at 14:07 +0000, Chris LaVallee wrote: > > > > > > Hi Jeroen, > > > > > > > > > Attached is the zone I used. Did you add the record for a.bar ? > > > > > > > > > Ex: > > > > > > > > > a.bar 300 IN NS ns.somewhere.net. > > > > > > > > > Chris > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Jeroen Koekkoek <jer...@nlnetlabs.nl> > > > Sent: Tuesday, October 8, 2024 5:33 AM > > > To: Chris LaVallee <claval...@edg.io>; > > > nsd-users@lists.nlnetlabs.nl > > > <nsd-users@lists.nlnetlabs.nl> > > > Subject: Re: [nsd-users] SIGSEGV in rbtree_find_less_equal > > > > > > > > > > > > > > > Hi Chris, > > > > > > I'm having trouble trying to reproduce the issue locally. > > > > > > Like you I configure two zones. > > > > > > zone: > > > name: example.com. > > > zonefile: example.com.zone.signed > > > > > > zone: > > > name: bar.example.com. > > > zonefile: bar.example.com.zone > > > > > > The file bar.example.com.zone does not exist. After touching and > > > reloading the signed zone, no segfault occurs. I've tried with > > > and > > > without the "--disable-radix-tree" configure option (as the error > > > occurs in the rbtree). I've also tried with example.com. being an > > > NSEC > > > and NSEC3 zone. > > > > > > Can you provide some more details? > > > > > > Best regards, > > > Jeroen > > > > > > > > > > > > > > > On Wed, 2024-10-02 at 14:57 +0000, Chris LaVallee via nsd-users > > > wrote: > > > > > > > > Hi, > > > > > > > > > > > > I found a reproducible seg fault with a DNSSEC signed zone and > > > > overlapping config. I'm running NSD 4.10.1. Here's how to > > > > reproduce. > > > > > > > > > > > > 2 zones in nsd.conf: > > > > > > > > > > > > zone: > > > > name: "foo.com." > > > > zonefile: "/zones/foo.com.zone.signed" > > > > > > > > > > > > zone: > > > > name: "bar.foo.com." > > > > zonefile: "/zones/bar.foo.com.zone" > > > > > > > > > > > > > > > > > > > > Zone files: > > > > > > > > > > > > foo.com.zone.signed is DNSSEC signed with a record for a.bar (A > > > > record or anything) > > > > bar.foo.com.zone doesn't exist (but it's in nsd.conf shown > > > > above) > > > > > > > > > > > > > > > > > > > > Steps: > > > > 1) Startup NSD > > > > 2) touch foo.com.zone.signed > > > > 3) reload NSD > > > > > > > > > > > > > > > > > > > > nsd.log will say: > > > > [2024-10-02 07:19:58.691] nsd[962739]: info: control cmd: > > > > reload > > > > [2024-10-02 07:19:58.845] nsd[962752]: error: > > > > handle_reload_cmd: > > > > reload closed cmd channel > > > > [2024-10-02 07:19:58.845] nsd[962752]: warning: Reload process > > > > 962740 > > > > failed, continuing with old database > > > > > > > > > > > > core dump says SIGSEGV in rbtree_find_less_equal > > > > > > > > > > > > > > > > > > > > Chris LaVallee > > > > Edgio (formally EdgeCast Networks) > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > nsd-users mailing list > > > > nsd-users@lists.nlnetlabs.nl > > > > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users > > > > > > > _______________________________________________ > > nsd-users mailing list > > nsd-users@lists.nlnetlabs.nl > > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users >
_______________________________________________ nsd-users mailing list nsd-users@lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
