W.C.A. Wijngaards
2015-Sep-23 06:31 UTC
[nsd-users] vague error causing nsd-3 to fail to start
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, On 09/22/2015 10:49 PM, Paul Wouters wrote:> > I am seeing on a secondary server: > > Sep 22 23:27:21 inter nsd: nsd: nsec3.c:626: prehash_zone: > Assertion `walk != zone->apex' failed.That is from the NSEC3 code. If you still have the nsd.db and ixfr.db files (and config file), the bug may be replicatable? Best regards, Wouter> > This caused the nsd daemon to fail to start (more than just > rejecting one bad zone!) > > Unfortunately, it does not tell me which zone is the problem. > > I ran nsd-checkzone on the primary server for all zones and all > zones pass with "ok" > > This was on nsd 3.2.18. Upgrading to 3.2.19 did not help. > > Removing all zone files and the nsd db did help. > > Paul _______________________________________________ nsd-users > mailing list nsd-users at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/nsd-users-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWAkdaAAoJEJ9vHC1+BF+NAIYQAJtewFADUTvNeKtOTPudgWPC jIyia099Ikpcxd9XswXcZ2HjMa9pot1+SssllitPAE9iFRC92iczESwZMvUo8Cjx dj57BELkuJVP0fv0pctb35Glex8UiYKb706A0fhNF8QFOLTgGx2YzKUZY446XTZV djKQQqe8wSdM+Sziuftwjp+VRhHiR3RmTOC96mEiWKIS1Xw2gFQGG+BKce6Pq1PG muYGjQCdRaW9ongsewFjOc5TExmNFlXNAXs3TuUaRJJVRofe5Sl5SPSaIlsAcF6n YHon8lgR4QTETwJ9ZKGCsphmU5PWt1ih0rLIQamhyvoCJy18F116sOFywc8+MNao z9rGPEbHbeXrNmUcDUMv2RDI/RS9926JmQVJy2/+za3O1ldYBFY+vv3BbAqgbdav 8Sp3eh0OtJK8Rt2nsR44KhQlKeePQ7rwSj2VL6Bpe29JzbhfFtyY6HpjO8oum8C1 lXFYpkAjQTSNN+JMuGUpb7yURADaD93KTrOPzl6gaUBvUvoC4pFI9GJKc7kaFZon jnDuY09x5OJCQYwO34p0ElF0mcXLX4Y39qIT9xq+AszgTG7J4P0PbY7DRBiTXEVb /ONxP+mHVh16Qyk4XMGPW4Gyan9gMHgzscTNaIgTxWiYMX1lATmI1hoaF977mFC5 8mXLmRoFTzg8VVxD1fgS =SrIf -----END PGP SIGNATURE-----
W.C.A. Wijngaards
2015-Sep-23 07:03 UTC
[nsd-users] vague error causing nsd-3 to fail to start
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, On 09/23/2015 08:31 AM, W.C.A. Wijngaards wrote:> Hi Paul, > > On 09/22/2015 10:49 PM, Paul Wouters wrote: > >> I am seeing on a secondary server: > >> Sep 22 23:27:21 inter nsd: nsd: nsec3.c:626: prehash_zone: >> Assertion `walk != zone->apex' failed. > > That is from the NSEC3 code. If you still have the nsd.db and > ixfr.db files (and config file), the bug may be replicatable?Never mind sending me the zones. Found the source of the bug. One of the zones must have had a spurious DS record at the apex. Code fix that ignores that DS record: Index: nsec3.c ==================================================================- --- nsec3.c (revision 4505) +++ nsec3.c (working copy) @@ -619,11 +619,10 @@ region_free_all(temp_region); } /* prehash the DS (parent zone) */ - - if(domain_find_rrset(walk, zone, TYPE_DS) || - - (domain_find_rrset(walk, zone, TYPE_NS) && - - walk != zone->apex)) + if((domain_find_rrset(walk, zone, TYPE_DS) || + domain_find_rrset(walk, zone, TYPE_NS)) && + walk != zone->apex) { - - assert(walk != zone->apex /* DS must be above zone cut */); prehash_ds(db, zone, walk, temp_region); region_free_all(temp_region); } Thanks for the report. Best regards, Wouter> > Best regards, Wouter > > >> This caused the nsd daemon to fail to start (more than just >> rejecting one bad zone!) > >> Unfortunately, it does not tell me which zone is the problem. > >> I ran nsd-checkzone on the primary server for all zones and all >> zones pass with "ok" > >> This was on nsd 3.2.18. Upgrading to 3.2.19 did not help. > >> Removing all zone files and the nsd db did help. > >> Paul _______________________________________________ nsd-users >> mailing list nsd-users at NLnetLabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users > > _______________________________________________ nsd-users mailing > list nsd-users at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/nsd-users >-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWAk7OAAoJEJ9vHC1+BF+NIwUP/2MPu/umd+HzR9efShlnBIDD 06aMiEDU5W8vAaZG8ypK1r+qbHJbAHkc8xCcRDZpn2o7cJOHtDudWg33xOT2fr/X xXYHpKRBLo7cT/zXZbRO2LKloucOUmCBOAv3jh6CuTAZge+9L6whgeU6UR1TWs6X D09zoaWbwQo3nyO/ENW3QmDrWfiHN92Y78NL9OPhB9KA5mxSlviHYXfzl1yT3n5y BC/LIfyvKppfcQZsyjqF0B/VxpTjrUG7x9UZvtHdW+3A6TZwOrfuqJiy01lSD+Ys YaG4Ml4tZgkE4kqh/iW+/ITFNLSHcQ+SsD5y6AHLXy8kW/DZKCvcY6MpZ221dMLj UavUoa+prYMVwWc/SKlcAXDEhuQGi9XawbswF4IuObdjUbO3ZByLk5wWUWH7xiC7 ys3trpyrTBE2ChgL+kX5N1/jdJiT6NkdTTOcs5hUf2z7E0iYIO/DUYQ1MMhvhV1Y ej9wHM56OA57XYb6q1KpSstc2ulqsOe4mhMMkc2/Pon9s87VXdTi3qocRyc7VjZt mxzAlxcO5lad8OTkI6OZdnR8wY8i6GfTmMfdtx4QBh3s+XQb0w5oBxzDhDRQDDTq 4d2Tprc/lx7AqHe+v1wJYbt1n9rhUnYtnUZsvP9EUBYITYPTIAbwbnYVmuGW99IJ HrwdczFczQD7uy1P78ab =t80z -----END PGP SIGNATURE-----