[Opendnssec-develop] [OpenDNSSEC] #183: Serious issue in zone_fetcher (includes patch)
OpenDNSSEC
owner-dnssec-trac at kirei.se
Fri Sep 10 12:10:14 UTC 2010
#183: Serious issue in zone_fetcher (includes patch)
---------------------+------------------------------------------------------
Reporter: roland | Owner: rb
Type: defect | Status: new
Priority: critical | Component: Signer
Version: 1.1.1 | Keywords: zone_fetcher AXFR bug
---------------------+------------------------------------------------------
Guys, I have found a serious bug in the zone_fetcher. The result of this
bug is that if an AXFR fails half-way through, the zone_fetcher assumes
that the transfer was successful. The result of this is that the signer
receives a partial zone as input which it will sign diligently and will be
served out.
The end result is that mangled zones end up on the Internet which is very
bad indeed. The patch included with this ticket fixes two issues:
* It checks after the AXFR ends whether the AXFR was complete (i.e.
whether the SOA record was seen twice as per the RFC, it uses the LDNS
function ldns_axfr_complete for this)
* The code is changed so the ldns_resolver structure used by the
zone_fetcher is not re-used. I've talked to Wouter from NLnet Labs and he
is of the opinion that it was never designed to be used for multiple
AXFRs. The fact that the zone_fetcher starts acting erroneously seems to
suggest that this is indeed the case. I now create and clean up an
ldns_resolver structure for each separate AXFR, this vastly improves the
stability of the zone fetcher
I highly recommend that we plan a new release ASAP that includes this fix
as we got into serious trouble because of this bug. It is most likely to
occur for larger zones such as our main domain surfnet.nl. Let's just say
that it's not good if all records that start with the letters s-z are not
served out...
--
Ticket URL: <http://trac.opendnssec.org/ticket/183>
OpenDNSSEC <http://www.opendnssec.org/>
OpenDNSSEC
More information about the Opendnssec-develop
mailing list