Hi, This is only somewhat related to nsd, but someone else must have hit it. I am having trouble AXFRing a signed zone -- named-xfer v.latest does not recognise the file format and writes a zone file that zonec barfs on. This is what is written: ; BIND version named 8.4.5-REL Wed Jan 5 19:58:17 MET 2005 ; BIND version mansaxel at foot.snowman.sunet.se:/local/src/bind8/src/bin/named ; zone 'se' first transfer ; from [212.247.7.226].53 (local [130.242.94.50].33741) using AXFR at Thu Jan 6 01:13:59 2005 ; TSIG verified: key xfer-sunet.tsig.ns.se.. $ORIGIN . se 3600 IN SOA dnssec.nic.se. dnssec-registry.nic-se.se. ( 2005010518 7200 3600 2419200 7200 ) 3600 IN TYPE46 \# 86 ( 0006050100000e1041e5512241dc16a285ac0273 65009256304e04d767b1f91e8887e4b675dd471d66a0404d c1049c17996d4b0d5c80157322e66c44e9ff5e7f5822db53 400884b69bd899671c34dba12311e30ca5cc ) 3600 IN NS dnssec-1.ns.se. 3600 IN NS dnssec-2.ns.se. 3600 IN NS dnssec-5.ns.se. 3600 IN NS dnssec-6.ns.se. 3600 IN TYPE46 \# 86 ( 0002050100000e1041e3109241d9d61285ac0273 650051e77ca6b64c030ec5f9b8124515c4883329b77c27fc 88a58519e91f81e37177317799b91d50863b5dada34e132b 064ae71b2f84499bd9abebdecf4c99317f6a ) 3600 IN TXT "<http://www.nic-se.se/domaner/ompekning.shtml>" 3600 IN TXT "Read instructions before sending requests of update" 3600 IN TYPE46 \# 86 ( 0010050100000e1041e3109241d9d61285ac0273 6500247f32e69ba86f1d32e800112cac6869fe50c9924c1b 30fa5f74a05b0f2b9b7d88aae0ca0bf8e44e119dd2d7dc82 bb09bae1f898def4f177f61dcc6269887888 ) 7200 IN TYPE47 \# 27 ( 0d30303338356b726f617469656e027365000007 22008000000380 ) 7200 IN TYPE46 \# 86 ( 002f050100001c2041e3109241d9d61285ac0273 6500a5484993c2d65c63766aa72e446e47f8ec40f0ed8ce2 0181f02492fafdfe0fd695b26a510ffa0c3d5cce90e618f3 c3f85c198d2b81c703d82bdcbe8e7c46437c ) 3600 IN TYPE48 \# 70 ( 010003050103baccdb8ee97a7cbf97834dd7b71e 1d15011f71a3e98e50bc5e02ac0c12907346d64944dda0e6 add2ff3c37b037971ca4bfeee9e7879298531bf36999791c d01d ) 3600 IN TYPE48 \# 70 ( 010003050103bcdb90e4b0390922098086851ee4 17a1ad213eb57699f89506c584baa166a36e8c6fb492d001 e6135d3fbd6480142c840c70ad0e3dd781ad749bb9a59622 ad01 ) 3600 IN TYPE48 \# 134 ( 0101030501039f60682c22ac957844be27d25643 fc5974af76b1954ddad4d79497839b90e0210334a9fbc2dc 277a4f7ba71d07fba5342ff217f7a8fff9d3214456db6218 f54be1cb66dca1616b26c91b3ff5fc01a409daa618fca601 c555bdd048082c75eb982eb12b0ae5f17bd23f999baaf834 1b0533252220f2e23242873d0136a560cc2f ) 3600 IN TYPE46 \# 150 ( 0030050100000e1041e3109241d9d61259610273 650099fb69877c598595ea408696721c323faa86978e6b12 700d908b32c5c0d268c2cf0b9a85ac5a4db30028b4ef0d22 52fd591f0ce7221d222b9d14da6d475e6d98bdd9f6bd42ed 0dfe317352dad1689cb18d5fd100a80f2298091e9105e6b0 cf7d2dacf9f861deeea0ea58bf89e583b93fc561e584fff4 7e9a7bb5071a5ef15e92 ) 3600 IN TYPE46 \# 86 ( 0030050100000e1041e3109241d9d61285ac0273 65003a260306e08b66f013a2c5c34aeacb141f94e786b737 9c7d2f771c947ffb18f126c6da42fcb0046d417d657e28a9 cc218204fe9ca265e729ce3bdd6dd6e58d91 ) $ORIGIN se. 00385kroatien 3600 IN NS ns1.surf-town.net. 3600 IN NS ns2.surf-town.net. 3600 IN NS ns3.surf-town.net. ; Ignoring extra info about 00385kroatien.se, invalid after NS delegation. ; 7200 IN TYPE47 \# 19 ( 06303037746132027365000006200000000003 ) ; Ignoring extra info about 00385kroatien.se, invalid after NS delegation. ; 7200 IN TYPE46 \# 86 ( 002f050200001c2041e3109241d9d61285ac0273 650053a108f27f7368a2413266a450cdf52a0627a46da90a ec18d743991acbbea051eacea609b0b5ffb256740673f305 312e3f5b1a174535b1f76563649b89e6c636 ) $ORIGIN se. 007ta2 3600 IN NS ns1.b-one.nu. 3600 IN NS ns2.b-one.nu. ; Ignoring extra info about 007ta2.se, invalid after NS delegation. ; 7200 IN TYPE47 \# 24 ( 0b3030383030696e6b6a65740273650000062000 00000003 ) ; Ignoring extra info about 007ta2.se, invalid after NS delegation. ; 7200 IN TYPE46 \# 86 ( 002f050200001c2041e3109241d9d61285ac0273 650008e4b4a54dc37ab227513dd8ae347a08b50a1cf17328 a1880ae3e7dfa29c4ba28a76dbe2bd46bb6fd741bd377d65 9dce6a90ce15bac7e415817c3ba8a04dbb60 ) <snip> And this is the debug output from zonec: (ignore the axfr issues -- they are known and fixed..) foot#/usr/local/sbin/nsdc update Warning: AXFR for se failed zone se needs rebuilding... rebuilding the database.... zonec: reading zone "se". ERR: Line 66 in secondary/se: Unrecognized RR type '650053a108f27f7368a2413266a450cdf52a0627a46da90a' ERR: Line 67 in secondary/se: Unrecognized RR type 'ec18d743991acbbea051eacea609b0b5ffb256740673f305' ERR: Line 68 in secondary/se: Unterminated parentheses zonec: processed 20 RRs in "se". zonec: done with 3 errors. /etc/nsd/nsd.db is unmodified The errors are quite obvious; named-xfer does not correctly comment out records it does not understand; but how do I get a named-xfer that will fetch the data correctly (and not complain about rren 47 and 46 above delegation) for zonec to compile? Regards, -- M?ns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20050106/a761464b/attachment.bin>
[Quoting =?ISO-8859-1?Q?M=E5ns_Nilsson?=, on Jan 6, 2:13, in "trouble with dnssec ..."] ...> This is only somewhat related to nsd, but someone else must have hit it.=20 > I am having trouble AXFRing a signed zone -- named-xfer v.latest does not > recognise the file format and writes a zone file that zonec barfs on.=20Yes, this is a known problem of BIND-8. There is a fix (appended) to prevent the BIND-8 named-xfer writing out a zonefile with syntax errors, but this will still not produce the correct DNSSEC zonefile, because BIND-8 does not understand the special handling of the DS. We have an NSD version of named-xfer, but it is not yet released (it will soon be after quality assurance checks). Regards, -- ted PS. the reply from Mark Andrews on my bug report containing a ix. Subject: Re: [ISC-Bugs #12674] AXFR error: failure on ignoring multiple line RRs From: "Mark Andrews via RT" <bind8-bugs at isc.org> Reply-To: bind8-bugs at isc.org In-Reply-To: <rt-12674 at ISC-Bugs> X-RT-Loop-Prevention: ISC-Bugs RT-Ticket: ISC-Bugs #12674 Managed-by: RT 2.0.15 (http://bestpractical.com/rt/) RT-Originator: Mark_Andrews at isc.org To: ted at NLnetLabs.nl Date: Thu, 30 Sep 2004 00:48:42 +0000 (UTC)> (Jakob Schlyter is Cc-ed because of his work on > interoperability after the typecode rollover).Firstly one really shouldn't attempt to use DNSSECbis unless *all* the servers for the zone are DNSSECbis aware. I'm tempted to leave this here just so that the zone transfer fails. That being said I feel the following patch is cleaner. Mark Index: named-xfer.c ==================================================================RCS file: /proj/cvs/prod/bind8/src/bin/named-xfer/named-xfer.c,v retrieving revision 8.144 diff -u -r8.144 named-xfer.c --- named-xfer.c 27 Aug 2004 00:23:16 -0000 8.144 +++ named-xfer.c 30 Sep 2004 00:40:10 -0000 @@ -3087,6 +3087,8 @@ fputs(" ( ", dbfp); isc_puthexstring(dbfp, cp1, n, (longname ? 28 : 40), 48, + (ignore[0] == ';') ? + "\n;\t\t\t\t" : "\n\t\t\t\t"); fputs(" )\n", dbfp); } else