On 2021-10-20 07:55 +02, Otto Moerbeek <o...@drijf.net> wrote: > On Wed, Oct 20, 2021 at 07:47:30AM +0200, Mischa wrote: > >> Unfortunately our joy was short lived. This morning I noticed a lot of >> Oct 20 07:44:15 name1 nsd[80814]: server 76410 died unexpectedly with status >> 11, restarting >> >> It looks like there is a potentially fixed in version 4.3.8. >> >> https://github.com/NLnetLabs/nsd/issues/195 >> https://github.com/NLnetLabs/nsd/issues/189 >> >> https://github.com/NLnetLabs/nsd/blob/NSD_4_3_8_REL/doc/ChangeLog >> 23 August 2021: Wouter >> - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion >> `query->delegation_rrset' failed. >> >> (Thanx Roger!)
That is not the correct fix, it only hides the problem and worse, produces wrong results. Please try this, which is the fix for https://github.com/NLnetLabs/nsd/issues/194 diff --git namedb.c namedb.c index 06bef71147c..772e038b16d 100644 --- namedb.c +++ namedb.c @@ -583,10 +583,13 @@ domain_find_ns_rrsets(domain_type* domain, zone_type* zone, rrset_type **ns) { /* return highest NS RRset in the zone that is a delegation above */ domain_type* result = NULL; + rrset_type* rrset = NULL; while (domain && domain != zone->apex) { - *ns = domain_find_rrset(domain, zone, TYPE_NS); - if (*ns) + rrset = domain_find_rrset(domain, zone, TYPE_NS); + if (rrset) { + *ns = rrset; result = domain; + } domain = domain->parent; } >> >> As far as I can tell from the things Martijn found it might be the case. >> >> Will give that a try and report back. >> >> Mischa > > Are you going to try just the one line fix or the whole of 4.3.8? > I suppose if we want to backport to -stable the one-line fix is > preferred. Yes, except, we should go with the correct fix above ;) Nothing else is interesting to backport in 4.3.8 as far as I can tell. > > -Otto > I provided an explanation what's going on in https://github.com/NLnetLabs/nsd/issues/195#issuecomment-947505367 Reproduced here (slightly edited): 712296f (the one-line-fix) only hides the problem, it doesn't fix anything. The real fix is ba0002e (the diff above). f.9.1.1.0.0.2.ip6.arpa. is an ENT in ip6.arpa. and so is 2.ip6.arpa. In line 1420 in query.c we haveq->delegation_domain = domain_find_ns_rrsets( and the unfixed domain_find_ns_rrsets would find the NS RRset for 9.1.1.0.0.2.ip6.arpa. But it would then continue searching upwards, overwriting *ns which is &q->delegation_rrset. Until it hits 2.ip6.arpa. which has no NS records. So q->delegation_rrset = NULL but at the same time result != NULL because we did find a delegation RRset along the way, we just ignored it (at least for 9.1.1.0.0.2.ip6.arpa., I didn't check if there was one further up). domain_find_ns_rrsets returns non-NULL which means we found a delegation, but at the same time it doesn't give us the delegation NS RRset. It is probably best to revert 712296f since on its own it produces wrong results. I.e. adding it to 4.3.7 gives this: $ dig @192.168.178.219 +norec f.9.1.1.0.0.2.ip6.arpa NS ; <<>> dig 9.10.8-P1 <<>> @192.168.178.219 +norec f.9.1.1.0.0.2.ip6.arpa NS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10923 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;f.9.1.1.0.0.2.ip6.arpa. IN NS ;; AUTHORITY SECTION: ip6.arpa. 3600 IN SOA b.ip6-servers.arpa. nstld.iana.org. 2021100154 1800 900 604800 3600 ;; Query time: 0 msec ;; SERVER: 192.168.178.219#53(192.168.178.219) ;; WHEN: Wed Oct 20 10:24:56 CEST 2021 ;; MSG SIZE rcvd: 115 But the correct answer is this: dig @::1 +norec f.9.1.1.0.0.2.ip6.arpa NS ; <<>> dig 9.10.8-P1 <<>> @::1 +norec f.9.1.1.0.0.2.ip6.arpa NS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48090 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;f.9.1.1.0.0.2.ip6.arpa. IN NS ;; AUTHORITY SECTION: 9.1.1.0.0.2.ip6.arpa. 86400 IN NS r.arin.net. 9.1.1.0.0.2.ip6.arpa. 86400 IN NS u.arin.net. 9.1.1.0.0.2.ip6.arpa. 86400 IN NS x.arin.net. 9.1.1.0.0.2.ip6.arpa. 86400 IN NS y.arin.net. 9.1.1.0.0.2.ip6.arpa. 86400 IN NS z.arin.net. 9.1.1.0.0.2.ip6.arpa. 86400 IN NS arin.authdns.ripe.net. ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Wed Oct 20 10:24:16 CEST 2021 ;; MSG SIZE rcvd: 171 -- I'm not entirely sure you are real.
