[ldns-users] ldns-verify-zone bug

Willem Toorop Willem at NLnetLabs.nl
Wed Nov 21 22:26:14 UTC 2012

Thanks Peter!

The issue is triggered when the last line of a parsed zone is a NSEC3
(or its RRSIG) covering an empty non-terminal. c.test.com in your case.
When the last record would have been the
qd81ag9inqts1ocs7api0pji94k27btr.test.com. NSEC3 or RRSIG record, the
error would not have occurred!

ldns-1.6.13 did not get in this condition, because it had a different
bug that would allow for NSEC3s not covering anything within the zone.
The fix for that bug unfortunately triggered this one.

Thanks again for noticing and reporting!

-- Willem

Op 21-11-12 17:21, Jan-Piet Mens schreef:
>> [vagrant at pdns ~/pdns/regression-tests/ldns-verify-zone]$ ldns-verify-zone test.com
>> original of NSEC3 hashed name could not be found at 81
> I get the same error with 1.6.16, but the zone verifies correctly with
> ldns 1.6.13:
>         $ curl -o test.com http:// your url
>         $ ldns-verify-zone test.com
>         Checking: test.com.
>         Checking: _underscore.test.com.
>         Checking: c.test.com.
>         Checking: b.c.test.com.
>         Checking: a.b.c.test.com.
>         Checking: *.a.b.c.test.com.
>         Checking: counter.test.com.
>         Checking: dc.test.com.
>         Checking: _tcp.dc.test.com.
>         Checking: _double._tcp.dc.test.com.
>         Checking: _ldap._tcp.dc.test.com.
>         Checking: enum.test.com.
>         Checking: server1.test.com.
>         Checking: test.test.com.
>         Checking: *.test.test.com.
>         Checking: www.test.test.com.
>         Checking: very-long-txt.test.com.
>         Checking: within-server.test.com.
>         Checking: www.test.com.
>         Zone is verified and complete
> Regards,
>         -JP
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users

More information about the ldns-users mailing list