[ldns-users] [validns-users] just started with validns - few problems

Paul Wouters paul at nohats.ca
Tue Feb 25 16:46:34 UTC 2014

On Mon, 24 Feb 2014, Emil Natan wrote:

> When I ran validns on the zone with missing SOA record:
> validns -z test.org test.org.zone.bad 
> test.org.zone.bad:6: the first record in the zone must be an SOA record

> When I have bigger zone, at some point it Seg faults.
> Running on the signed zone:
>  validns -s -z test.org test.org.zone.signed.bad 
> records found:       43
> skipped dups:        0
> record sets found:   33
> unique names found:  15
> delegations found:   0
>     nsec3 records:   7
> not authoritative names, not counting delegation points:
>                      0
> validation errors:   0
> signatures verified: 19
> time taken:          0.004s

Note that the signing process _added_ a SOA record, so while the
unsigned zone was broken, the signed zone was not.

Although validns should probably also warn about nameservers being
within the zone but not have an A/AAAA record. In this case, it is
even true for _all_ nameservers so the zone is basically dead.

ldns-verify-zone also does not complain about that. It should.

named-checkzone handles that properly:

$ named-checkzone test.org  /tmp/test.org.zone.signed.bad 
zone test.org/IN: NS 'ns.test.org' has no address records (A or AAAA)
zone test.org/IN: NS 'ns2.test.org' has no address records (A or AAAA)
zone test.org/IN: NS 'ns3.test.org' has no address records (A or AAAA)
zone test.org/IN: not loaded due to errors.

> Running ldns-verify-zone on the same zone:
> ldns-verify-zone test.org.zone.signed.bad
> Error: no signatures for test.org.      NSEC3PARAM
> There were errors in the zone

I guess one could argue about whether NSEC3PARAM should be signed or
not. IMHO, it should not even be in the zone at all, its a bind/isc hack
that made it into an RFC :P Perhaps ldns-verify-zone should not give
an error for that? Although I wonder which signers actually skip signing
the NSEC3PARAM record. That a bind signer thing as isc.org's nsec3param
also seems to miss the RRSIG record for NSEC3PARAM.

opendnssec does sign it.

However, ldns-verify-zone does give a bad error when running on the
SOA-less zone:

~> ldns-verify-zone /tmp/test.org.zone.bad 
General memory error at 19

So I've CC:ed the ldns list on this :)


More information about the ldns-users mailing list