[nsd-users] Trying to understand a SERVFAIL
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Mon Feb 1 10:03:49 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Pim, Jeremy,
Yes that would also create a parent and its child zone on the same
server with a CNAME between them triggering double 'additional section
processing', resulting in a message with two NS rrsets in the authority
section out of NSD, which the BIND resolver rejects.
Perhaps this can be fixed in NSD - since two NS sets is simply very
large and we can make the responses smaller in this case. Probably by
including only the 'first' NS set (for the source of the CNAME),
although many resolvers immediately query for the destination of the CNAME.
I believe isc has a mailing list, forum, bind9-bugs at isc.org ticket
system ... so it should not be too hard to tell them if you want. I am
not completely sure what the perfect fix is either.
Best regards,
Wouter
On 01/31/2010 03:39 PM, Pim van Pelt wrote:
> Hoi Wouter, Colleagues,
>
> On Fri, Jan 1, 2010 at 1:07 AM, W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi Pim, Jeremy,
>>
>> This response looks like a corner case. I think it may trigger that bad
>> behaviour in some resolvers. This may be something that is caused by
>> new 'Kaminksy-era-paranoia' fixes in resolvers.
> I have seen the unwanted behavior in second zone that I loaded from a
> bind9 authorative to an nsd one:
> $ORIGIN sixxs.net.
> m NS ns1 NS ns2 NS ns3
> tic CNAME tic.m
>
> and m.sixxs.net runs on the bind9 authoritative servers. A query
> coming to tic.sixxs.net fails, when the NSD gets it, it serves out a
> reply but it is not understood by all resolvers.
>
> I think this is an issue that can likely be fixed in NSD even if it is
> an issue also in bind (resolver). Where can I file a bug against it?
> Should this discussion be brought broader (so the teams can hash it
> out amongst themselves how to best fix it?). If so - can you help me
> get the right people aligned? I've not posted to name droppers lists
> since quite a few years ;)
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAktmpwUACgkQkDLqNwOhpPgxUwCdGh7FQWKbNVJGS5qisw5CfWgd
/FoAnRko7ZihsXpQcBD4hA7yUgvWcmdN
=Kjeg
-----END PGP SIGNATURE-----
More information about the nsd-users
mailing list