So I'm trying to do something that's probably highly experimental and possibly unsupported by the combination of NSD and named-xfer. But I'm going to ask here anyway, as the archives don't show anything relevant. I've got NSD 2.1.2 on FreeBSD 4.10. Compiled with --enable-dnssec and pointing at the BIND 8.4.5 named-xfer program. I also have a signed zone (netsec.tislabs.com.) that's signed. I'm trying to get NSD to secondary the netsec zone. I'm getting errors when I run nsdc update. zonec is complaining about unterminated parenthesis and unrecognized RR types. You can see the error output here: <http://www.netsec.tislabs.com/conf/buddy/nsdc_update.out>. named-xfer _is_ axfer-ing the zone. It doesn't, obviously, understand the new DNSSEC RR types, so it is storing the zone with the RRs in unknown RR format. You can see the file that named-xfer writes here: <http://www.netsec.tislabs.com/conf/buddy/netsec.tislabs.com>. Is NSD just not parsing the zone properly? Is named-xfer doing some wrong? Am I trying to be too cutting-edge? :) -- Wesley Griffin <wgriffin at sparta.com>
Wesley Griffin wrote:> named-xfer _is_ axfer-ing the zone. It doesn't, obviously, understand > the new DNSSEC RR types, so it is storing the zone with the RRs in > unknown RR format. You can see the file that named-xfer writes here: > <http://www.netsec.tislabs.com/conf/buddy/netsec.tislabs.com>.The problem here is that the record being transferred is unknown and below the zone cut. So named-xfer tries to comment it out, because it shouldn't exist. Unfortunately, it only comments out the first line resulting in a syntax error. There is a patch for named-xfer somewhere. But this was one of the main reasons to implement our own AXFR client because DNSSEC will not work without an DNSSEC aware AXFR client.> Is NSD just not parsing the zone properly? Is named-xfer doing some > wrong? Am I trying to be too cutting-edge? :)Yes, you are trying to be too cutting-edge, but it will help us find and fix bugs, so please continue :) Erik
[Quoting Erik Rozendaal, on Oct 15, 23:29, in "Re: NSD 2.1.2, secon ..."]> There is a patch for named-xfer somewhere. But this was one of the mainThe patch for named-xfer is appended.> > Is NSD just not parsing the zone properly? Is named-xfer doing some > > wrong? Am I trying to be too cutting-edge? :) > Yes, you are trying to be too cutting-edge, but it will help us find and > fix bugs, so please continue :)Agree! -- ted Index: named-xfer.c ==================================================================RCS file: /proj/cvs/prod/bind8/src/bin/named-xfer/named-xfer.c,v retrieving revision 8.144 diff -u -r8.144 named-xfer.c --- named-xfer.c 27 Aug 2004 00:23:16 -0000 8.144 +++ named-xfer.c 30 Sep 2004 00:40:10 -0000 @@ -3087,6 +3087,8 @@ fputs(" ( ", dbfp); isc_puthexstring(dbfp, cp1, n, (longname ? 28 : 40), 48, + (ignore[0] == ';') ? + "\n;\t\t\t\t" : "\n\t\t\t\t"); fputs(" )\n", dbfp); } else