[Opendnssec-develop] [OpenDNSSEC] #183: Serious issue in zone_fetcher (includes patch)

OpenDNSSEC owner-dnssec-trac at kirei.se
Fri Sep 10 12:10:14 UTC 2010

#183: Serious issue in zone_fetcher (includes patch)
Reporter:  roland    |       Owner:  rb                   
    Type:  defect    |      Status:  new                  
Priority:  critical  |   Component:  Signer               
 Version:  1.1.1     |    Keywords:  zone_fetcher AXFR bug
 Guys, I have found a serious bug in the zone_fetcher. The result of this
 bug is that if an AXFR fails half-way through, the zone_fetcher assumes
 that the transfer was successful. The result of this is that the signer
 receives a partial zone as input which it will sign diligently and will be
 served out.

 The end result is that mangled zones end up on the Internet which is very
 bad indeed. The patch included with this ticket fixes two issues:

 * It checks after the AXFR ends whether the AXFR was complete (i.e.
 whether the SOA record was seen twice as per the RFC, it uses the LDNS
 function ldns_axfr_complete for this)
 * The code is changed so the ldns_resolver structure used by the
 zone_fetcher is not re-used. I've talked to Wouter from NLnet Labs and he
 is of the opinion that it was never designed to be used for multiple
 AXFRs. The fact that the zone_fetcher starts acting erroneously seems to
 suggest that this is indeed the case. I now create and clean up an
 ldns_resolver structure for each separate AXFR, this vastly improves the
 stability of the zone fetcher

 I highly recommend that we plan a new release ASAP that includes this fix
 as we got into serious trouble because of this bug. It is most likely to
 occur for larger zones such as our main domain surfnet.nl. Let's just say
 that it's not good if all records that start with the letters s-z are not
 served out...

Ticket URL: <http://trac.opendnssec.org/ticket/183>
OpenDNSSEC <http://www.opendnssec.org/>

More information about the Opendnssec-develop mailing list