[Opendnssec-user] Notification from PowerDNS

Matthijs Mekking matthijs at NLnetLabs.nl
Thu Dec 9 10:16:45 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

As far as I know it, the AA bit distinguishes between responses from a
cache and from an authoritative name server. Setting the AA bit is one
of the characteristics of a NOTIFY, according to RFC 1996, section 4.5.

We would like to make sure that the incoming NOTIFY is RFC compliant,
that's why we check the AA bit.

Best regards,

Matthijs

On 12/09/2010 09:54 AM, Markus Lauer wrote:
> Hi List!
> 
> 
> Notifies from PowerDNS Master (when explicit queued by pdns_control notify-
> host) lead to a "zone fetcher drop bad notify" error.
> 
> 
> 
> 
>     if (ldns_pkt_get_opcode(query_pkt) != LDNS_PACKET_NOTIFY ||
>         ldns_pkt_get_rcode(query_pkt)  != LDNS_RCODE_NOERROR ||
>         ldns_pkt_qr(query_pkt) ||
> /*        !ldns_pkt_aa(query_pkt) ||  */
>         ldns_pkt_tc(query_pkt) ||
>         ldns_pkt_rd(query_pkt) ||
>         ldns_pkt_ra(query_pkt) ||
>         ldns_pkt_cd(query_pkt) ||
>         ldns_pkt_ad(query_pkt) ||
>         ldns_pkt_qdcount(query_pkt) != 1 ||
>         ldns_pkt_nscount(query_pkt) != 0 ||
>         ldns_pkt_arcount(query_pkt) != 0 ||
>         ldns_rr_get_type(query_rr) != LDNS_RR_TYPE_SOA ||
>         ldns_rr_get_class(query_rr) != LDNS_RR_CLASS_IN)
>     {
>         se_log_info("zone fetcher drop bad notify");
>         return;
>     }
> 
> 
> When I comment out the AA-flag check I works like a charm.
> 
> Is PowerDNS just missing this flag or is OpenDNSSEC to strict?
> 
> 
> Any hint in the right direction would be appreciated.
> 
> 
> Regards,
> 
> Markus
> 
> PS: Please see also blog entry from Jan-Piet Mens: 
> http://blog.fupps.com/2010/09/15/hints-on-getting-powerdns-to-use-opendnssec-
> for-signing-zones
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNAKyNAAoJEA8yVCPsQCW5WLYH/0/5jJncVLst/7oXlG592t8Y
3OZxxC7cpPTi+yNs1Zusl2vhmtCP9g1dN6U9g4omU064on0ISGBzUeR/+sqV0yxj
/ooVTEJ19LQ15wNPS3tBK34OTop2flRxyj/nlpzmVsKL6YWDRiXIlKyOLimVzTZc
/R5DoDRRESP0iI99twMwaqiRD7VOjJg4FGBQWtgmzv22GX4RpjZalreglfGvUmMt
GW2SjO9L6+zu5kKh79ELM17QS2hBupaM74MnoubA0swRfegC0cGqDKYoKA4vaaRt
QYBke0aD/wrnRIuML7OxFc9Gzj9dSWm5A3rAY/UwuYo8Ql+8+lrOiGWujY+hqmU=
=4n6I
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list