[Pdns-dev] please review our NSEC3 changes!

Peter van Dijk peter.van.dijk at netherlabs.nl
Wed Aug 1 13:30:23 CEST 2012 

Hello fellow developers,

summary: please review our NSEC3 code at https://github.com/habbie/powerdns/tree/fixnsec3 or https://github.com/Habbie/powerdns/compare/master…fixnsec3 !

Longer version:

prompted by recent big-scale DNSSEC rollouts (PowerDNS is responsible for a large part of the current level of http://xs.powerdns.com/dnssec-nl-graph/), a few bugs in PowerDNS' core DNS code and NSEC3 handling have popped up:
http://wiki.powerdns.com/trac/ticket/486
http://wiki.powerdns.com/trac/ticket/537
http://wiki.powerdns.com/trac/ticket/540

plus a non-ticket report that multi-label NXDOMAINs were failing (this is basically the same issue as in #486, as a wildcard response also involves a denial of the concrete name).

Kees Monshouwer has done a tremendous amount of work trying to fix these things, and I have collected his work plus some extra tests and a few nitpicks in a branch on GitHub, available at https://github.com/habbie/powerdns/tree/fixnsec3

You can view the diff to the pdns master tree at https://github.com/Habbie/powerdns/compare/master…fixnsec3

As part of this effort, nsec3dig was developed. It is in the pdns/ subdir of our source tree and can be built with 'make nsec3dig'. Note that it is very much a debugging tool. Some of the output it gives may be useless, and some things that might be useful (like telling you an RRSIG for a synthesized wildcard is correct) are missing. However, within the limitations of the tool, I have found it invaluable.

This branch (as does the master branch and our SVN) contains an extensive testing suite. Go into regression-tests/ and type './start-test-stop help' for more information. For the MySQL tests, you can override the connection information with some environment variables - see the source of start-test-stop for more information. Note that the database you point it at will be destroyed before testing.

We would like to ask anyone who is able and willing to do one or more of the following:
- read the diff or the full source of the updated implementation
- test the updated implementation in a lab (or in production, if you dare!)
- invent more tests

If you find anything, or if you find nothing, please let us know!

I intend/hope to put the updated code in SVN this week or next week. A 3.1.1 release might just happen shortly after that.

Kind regards,
-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

More information about the Pdns-dev mailing list