auth-zones and DNS NOTIFY

W.C.A. Wijngaards wouter at nlnetlabs.nl
Mon Jun 4 09:34:01 UTC 2018


Hi,

On 04/06/18 11:29, Harry Schmalzbauer wrote:
> Am 04.06.2018 um 11:01 schrieb W.C.A. Wijngaards:
>> Hi Harry,
>>
>> On 02/06/18 19:24, Harry Schmalzbauer wrote:
>>> Am 02.06.2018 um 16:44 schrieb Harry Schmalzbauer via Unbound-users:
>>>> Am 17.04.2018 um 15:26 schrieb W.C.A. Wijngaards via Unbound-users:
>>>>> Hi Harry,
>>>>>
>>>>> Yes, DNS NOTIFY is implemented in the current code repo version.  You
>>>>> can specify additional sources with allow-notify.
>>>> Great, thanks a lot!.
>>>> Found time to update some production systems, but unfortunately zone
>>>> transfer seem to work only initially, then I see these messages logged:
>> Thank you very much for the detailed report.  I found the deadlock
>> problem and fixed it for the upcoming release.
>>
>> There is a patch as well in case that is useful for you.  The routine
>> simply forgot to unlock in one of the cases for an incoming NOTIFY
>> message.  This explains why the other report did not encounter the
>> problem.
>>
>> Index: services/authzone.c
>> ===================================================================
>> --- services/authzone.c    (revision 4703)
>> +++ services/authzone.c    (working copy)
>> @@ -3425,8 +3425,10 @@
>>   {
>>       /* if the serial of notify is older than we have, don't fetch
>>        * a zone, we already have it */
>> -    if(has_serial && !xfr_serial_means_update(xfr, serial))
>> +    if(has_serial && !xfr_serial_means_update(xfr, serial)) {
>> +        lock_basic_unlock(&xfr->lock);
>>           return;
>> +    }
>>       /* start new probe with this addr src, or note serial */
>>       if(!xfr_start_probe(xfr, env, fromhost)) {
>>           /* not started because already in progress, note the serial */
>>
>>
>> Best regards, Wouter
>>
> 
> Kudos!
> Highly appreciate your work and support!  Far better than many
> commercial competitors…
> Will drop a note after testing, which might not happen before next week :-(
> 
> One short question: Does this also address/explain the stall/outage
> (more precisly the "error response SERVFAIL") for stub-zone: matching
> queries?

Possibly, not getting updates would explain servfail, because an expired
auth zone cannot deliver the information for resolution.  But it may not
be this, it could be some other issue.

Best regards, Wouter

> 
> Thanks,
> 
> -harry
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180604/316e92c4/attachment.bin>


More information about the Unbound-users mailing list