Maintained by: NLnet Labs

[Unbound-users] Patch for unbound 1.4.15 NSEC3 validation failure

W.C.A. Wijngaards
Wed Feb 1 14:43:13 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Attached is the patch for unbound 1.4.15 that fixes a bugfix in 1.4.15
that misbehaves.  It can be seen by validation failures (example below)
after hours or days.  The bug is present in 1.4.15 and 1.4.15rc1 (the
TTL fix in it).  It only happens if you have trust anchors configured
(you do DNSSEC).

validation failure xx: no NSEC3 closest encloser from yy for DS zz while
building chain of trust.

We intend to release unbound 1.4.16 with this fix soon.

You can apply this to the 1.4.15 source with patch -p0 < file.  And then
build and install it.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPKUFwAAoJEJ9vHC1+BF+NbswP/A+wg8usttzEo+l/1LZuaF+Z
1bcKUbfB9VUGEJZ1VdHDs6Xs8ibSWc9wnA82D/6WSdX2PCC0ftoAKk4NRC7qGvmh
cMlj+H7Dy3ITLSDp+5jfCNVJ6OoGKk4E6g2QpTTxDocPUZ4g+cEvD5XMv/VWvmXW
3BBS/k7jLIyuP72FJgjrIOWdoOHd2yU9ShUJjO7MS5gv0LPlmN7v5eK/gsf7+Am5
e3DcisbxpzzRaJQBMoU0DKDLD6YPo7qbdFvpGHDr9aEinVX9bSHNm/ka3Psu9sjx
l1wNZej13D3s4MMsXcAUW3pyStJw5t1jLmu6Aku2Y9AanrtVIeOtK9hBn7XX0AEh
VFXvvw9LW3CwTg4AumWWf1mgAwgB3QMjOosg4xrOKAUh25PpTGWY7s24nBxj3BKS
e0vm28L1iL6VkxVX5Y536Yr6Yo3ZpssRYVdrDnVT+W2JkXfHJvvhA1fSVy+VhAk8
CeKLmohunyYwq31/SaP2EMLCbwvgQ7bHNkCe7xiXv+HC8Xz54AP3FwUxRNCi3Trp
wDmY5Md03Pq3khkiCk3he9k2ERCp0vrGIuZCZGtCK0/Q9uG86bzuk7E8zfqBG1z/
bq8lxpxGPMZEteABxrw3Xylq4NK15bqaFCwWVWTpnrDP+USgFWLRufAAiz6hXkun
+MjfzUblnE5qLuIdhMwA
=jjXP
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_nsec3_1415.diff
Type: text/x-patch
Size: 449 bytes
Desc: not available
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20120201/ae381ce0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_nsec3_1415.diff.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20120201/ae381ce0/attachment.pgp>