Re: auth-zones and DNS NOTIFY

Mon, 04 Jun 2018 02:34:26 -0700 

Hi,

On 04/06/18 11:29, Harry Schmalzbauer wrote:
> Am 04.06.2018 um 11:01 schrieb W.C.A. Wijngaards:
>> Hi Harry,
>>
>> On 02/06/18 19:24, Harry Schmalzbauer wrote:
>>> Am 02.06.2018 um 16:44 schrieb Harry Schmalzbauer via Unbound-users:
>>>> Am 17.04.2018 um 15:26 schrieb W.C.A. Wijngaards via Unbound-users:
>>>>> Hi Harry,
>>>>>
>>>>> Yes, DNS NOTIFY is implemented in the current code repo version.  You
>>>>> can specify additional sources with allow-notify.
>>>> Great, thanks a lot!.
>>>> Found time to update some production systems, but unfortunately zone
>>>> transfer seem to work only initially, then I see these messages logged:
>> Thank you very much for the detailed report.  I found the deadlock
>> problem and fixed it for the upcoming release.
>>
>> There is a patch as well in case that is useful for you.  The routine
>> simply forgot to unlock in one of the cases for an incoming NOTIFY
>> message.  This explains why the other report did not encounter the
>> problem.
>>
>> Index: services/authzone.c
>> ===================================================================
>> --- services/authzone.c    (revision 4703)
>> +++ services/authzone.c    (working copy)
>> @@ -3425,8 +3425,10 @@
>>   {
>>       /* if the serial of notify is older than we have, don't fetch
>>        * a zone, we already have it */
>> -    if(has_serial && !xfr_serial_means_update(xfr, serial))
>> +    if(has_serial && !xfr_serial_means_update(xfr, serial)) {
>> +        lock_basic_unlock(&xfr->lock);
>>           return;
>> +    }
>>       /* start new probe with this addr src, or note serial */
>>       if(!xfr_start_probe(xfr, env, fromhost)) {
>>           /* not started because already in progress, note the serial */
>>
>>
>> Best regards, Wouter
>>
> 
> Kudos!
> Highly appreciate your work and support!  Far better than many
> commercial competitors…
> Will drop a note after testing, which might not happen before next week :-(
> 
> One short question: Does this also address/explain the stall/outage
> (more precisly the "error response SERVFAIL") for stub-zone: matching
> queries?

Possibly, not getting updates would explain servfail, because an expired
auth zone cannot deliver the information for resolution.  But it may not
be this, it could be some other issue.

Best regards, Wouter

> 
> Thanks,
> 
> -harry
>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to