Bug 783

Summary: Trying to run a root server without having configured it silently gives wrong answers
Product: NSD Reporter: Paul Hoffman <paul.hoffman>
Component: NSD CodeAssignee: NSD team <nsd-team>
Severity: normal CC: wouter
Priority: P5    
Version: 4.1.x   
Hardware: All   
OS: All   

Description Paul Hoffman 2016-06-24 19:42:51 CEST
Greetings. I compiled from source. I created a configuration with the root zone and a valid root zone file. nsd-checkconfig gave no errors. NSD, even with -d -V 6 gave no indication that anything is wrong. Queries for . result in SERVFAIL with nothing noted in the log. Searching in the man pages shows nothing. It was only by great fortune that I asked someone who had had this problem before and could point me to the ***configure*** option that would fix this.


- nsd-checkconfig should issue hard errors if the root zone is listed but the configure option was not used.

- Launching NSD in this case should fail with usable messages in the log.

- Allowing root zone serving should be the default build option, not something you need to notice in ./configure --help.
Comment 1 Wouter Wijngaards 2016-06-27 10:22:12 CEST
Hi Paul,

Thank you for the report, I fixed it in two ways.  There was a bug in the check code that return the wrong value for this case, allowing the zone to continue.  I fixed this bug and this makes nsd-checkzone and nsd (the daemon) print errors.

I also added a check in nsd-checkconf that will print an error.  And then fail:
test.conf: not configured as a root server.
test.conf: 1 semantic errors in 5 zones, 2 keys.

NSD prints errors in the log, and nsd-checkzone also prints errors (similar to the above).

Best regards, Wouter
Comment 2 Paul Hoffman 2016-06-27 16:47:42 CEST
Is it possible to make the error messages say that the fix is in the ./configure command line? I spent a lot of time poring through man pages.
Comment 3 Wouter Wijngaards 2016-06-27 17:11:34 CEST
Hi Paul,

Well, it is supposedly to idiot-proof against people running root servers.  So; some sort of hurdle is implied by that.  It was emplaced in early versions of NSD because BIND users would try to configure zone "." type hint to add root hints for a recursor and so become silently authoritative for a dysfunctional root zone.  The config option and error are supposed to stop them.

So, not some sort of error message where the path of least friction makes them try to become some sort of unknowningly authoritative server for the root.  Perhaps something explicit 'no zone type hint is not needed in NSD config' :-)

The actual people that need root servers are very few, hence the safety option.  I am not sure how to explain this to users that are trying to copy and paste some ununderstandable config snippets...

Best regards, Wouter
Comment 4 Paul Hoffman 2016-06-27 18:42:31 CEST
OK, I now see the tussle. I prefer the way that Knot has done it, but respect your choice. Let's hope this thread show up high enough in the Google searches for future people like me. :-)