ldns-verify-zone: DNAME-occluded records get confusing warning about glue

NLnetLabs / ldns

LDNS is a DNS library that facilitates DNS tool programming

https://nlnetlabs.nl/ldns

BSD 3-Clause "New" or "Revised" License

292 stars 98 forks source link

ldns-verify-zone: DNAME-occluded records get confusing warning about glue #145

Open Habbie opened 2 years ago

Habbie commented 2 years ago

With a zone containing

x.example.com.      3005    IN  DNAME   example.nl.
a.x.example.com.    3005    IN  A   192.0.2.5

(plus SOA, DNSKEY, signatures, etc.), ldns-verify-zone reports:

Error: a.x.example.com. A has signature(s), but is glue
Error: a.x.example.com. has an NSEC(3), but is glue
There were errors in the zone

It is correct in flagging those records (they should not be there, as the DNAME occludes them), but the error text is wrong. I briefly looked at the code, fixing this might mean adding another bool similar to is_glue to the data astructure.

wtoorop commented 2 years ago

You are right, it is actually marking all occluded data (including glue). See this excerpt from dnssec_zone.h:

        /**
         * Unlike what the name is_glue suggests, this field is set to true by
         * ldns_dnssec_zone_mark_glue() or ldns_dnssec_zone_mark_and_get_glue()
         * when the name, this dnssec_name struct represents, is occluded.
         * Names that contain other occluded rrsets and records with glue on
         * the delegation point will NOT have this bool set to true.
         * This field should NOT be read directly, but only via the 
         * ldns_dnssec_name_is_glue() function!
         */
        bool is_glue;

Perhaps it would already be an improvement to just change the message in ", but is occluded (or glue)" instead of ", but is glue" WDYT?