On 2021-10-20 12:33, Florian Obser wrote:
On 2021-10-20 07:55 +02, Otto Moerbeek <o...@drijf.net> wrote:
On Wed, Oct 20, 2021 at 07:47:30AM +0200, Mischa wrote:
Unfortunately our joy was short lived. This morning I noticed a lot
of
Oct 20 07:44:15 name1 nsd[80814]: server 76410 died unexpectedly with
status
11, restarting
It looks like there is a potentially fixed in version 4.3.8.
https://github.com/NLnetLabs/nsd/issues/195
https://github.com/NLnetLabs/nsd/issues/189
https://github.com/NLnetLabs/nsd/blob/NSD_4_3_8_REL/doc/ChangeLog
23 August 2021: Wouter
- Fix #189: nsd 4.3.7 crash answer_delegation: Assertion
`query->delegation_rrset' failed.
(Thanx Roger!)
That is not the correct fix, it only hides the problem and worse,
produces wrong results. Please try this, which is the fix for
https://github.com/NLnetLabs/nsd/issues/194
diff --git namedb.c namedb.c
index 06bef71147c..772e038b16d 100644
--- namedb.c
+++ namedb.c
@@ -583,10 +583,13 @@ domain_find_ns_rrsets(domain_type* domain,
zone_type* zone, rrset_type **ns)
{
/* return highest NS RRset in the zone that is a delegation above */
domain_type* result = NULL;
+ rrset_type* rrset = NULL;
while (domain && domain != zone->apex) {
- *ns = domain_find_rrset(domain, zone, TYPE_NS);
- if (*ns)
+ rrset = domain_find_rrset(domain, zone, TYPE_NS);
+ if (rrset) {
+ *ns = rrset;
result = domain;
+ }
domain = domain->parent;
}
Thanx Florian!
Will give that a go and let you know.
Mischa
As far as I can tell from the things Martijn found it might be the
case.
Will give that a try and report back.
Mischa
Are you going to try just the one line fix or the whole of 4.3.8?
I suppose if we want to backport to -stable the one-line fix is
preferred.
Yes, except, we should go with the correct fix above ;) Nothing else is
interesting to backport in 4.3.8 as far as I can tell.
-Otto
I provided an explanation what's going on in
https://github.com/NLnetLabs/nsd/issues/195#issuecomment-947505367
Reproduced here (slightly edited):
712296f (the one-line-fix) only hides the problem, it doesn't fix
anything. The real fix is ba0002e (the diff above).
f.9.1.1.0.0.2.ip6.arpa. is an ENT in ip6.arpa. and so is 2.ip6.arpa.
In line 1420 in query.c we haveq->delegation_domain =
domain_find_ns_rrsets(
and the unfixed domain_find_ns_rrsets would find the NS RRset for
9.1.1.0.0.2.ip6.arpa.
But it would then continue searching upwards, overwriting *ns which is
&q->delegation_rrset. Until it hits 2.ip6.arpa. which has no NS
records. So q->delegation_rrset = NULL but at the same time result !=
NULL because we did find a delegation RRset along the way, we just
ignored it (at least for 9.1.1.0.0.2.ip6.arpa., I didn't check if there
was one further up).
domain_find_ns_rrsets returns non-NULL which means we found a
delegation, but at the same time it doesn't give us the delegation NS
RRset.
It is probably best to revert 712296f since on its own it produces
wrong
results. I.e. adding it to 4.3.7 gives this:
$ dig @192.168.178.219 +norec f.9.1.1.0.0.2.ip6.arpa NS
; <<>> dig 9.10.8-P1 <<>> @192.168.178.219 +norec
f.9.1.1.0.0.2.ip6.arpa NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10923
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;f.9.1.1.0.0.2.ip6.arpa. IN NS
;; AUTHORITY SECTION:
ip6.arpa. 3600 IN SOA b.ip6-servers.arpa.
nstld.iana.org. 2021100154 1800 900 604800 3600
;; Query time: 0 msec
;; SERVER: 192.168.178.219#53(192.168.178.219)
;; WHEN: Wed Oct 20 10:24:56 CEST 2021
;; MSG SIZE rcvd: 115
But the correct answer is this:
dig @::1 +norec f.9.1.1.0.0.2.ip6.arpa NS
; <<>> dig 9.10.8-P1 <<>> @::1 +norec f.9.1.1.0.0.2.ip6.arpa NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48090
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;f.9.1.1.0.0.2.ip6.arpa. IN NS
;; AUTHORITY SECTION:
9.1.1.0.0.2.ip6.arpa. 86400 IN NS r.arin.net.
9.1.1.0.0.2.ip6.arpa. 86400 IN NS u.arin.net.
9.1.1.0.0.2.ip6.arpa. 86400 IN NS x.arin.net.
9.1.1.0.0.2.ip6.arpa. 86400 IN NS y.arin.net.
9.1.1.0.0.2.ip6.arpa. 86400 IN NS z.arin.net.
9.1.1.0.0.2.ip6.arpa. 86400 IN NS arin.authdns.ripe.net.
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Oct 20 10:24:16 CEST 2021
;; MSG SIZE rcvd: 171