[svn] commit: r1184 - in /trunk/src/lib/auth: TODO data_source.cc data_source.h data_source_sqlite3.cc data_source_sqlite3.h data_source_sqlite3_unittest.cc data_source_static.cc data_source_static.h unittest_ds.cc unittest_ds.h
BIND 10 source code commits
bind10-changes at lists.isc.org
Sun Mar 7 22:24:33 UTC 2010
Author: each
Date: Sun Mar 7 22:24:33 2010
New Revision: 1184
Log:
Corrected NSEC3 logic. When returning NXDOMAIN for a node that isn't
directly under the zone apex (i.e., a.b.c.d.e.foo.com), we need to return
the NSEC3 covering the closest enclosing name, not for the zone name
itself. We also need to avoid sending multiple copies of the same NSEC3.
Modified:
trunk/src/lib/auth/TODO
trunk/src/lib/auth/data_source.cc
trunk/src/lib/auth/data_source.h
trunk/src/lib/auth/data_source_sqlite3.cc
trunk/src/lib/auth/data_source_sqlite3.h
trunk/src/lib/auth/data_source_sqlite3_unittest.cc
trunk/src/lib/auth/data_source_static.cc
trunk/src/lib/auth/data_source_static.h
trunk/src/lib/auth/unittest_ds.cc
trunk/src/lib/auth/unittest_ds.h
Modified: trunk/src/lib/auth/TODO
==============================================================================
--- trunk/src/lib/auth/TODO (original)
+++ trunk/src/lib/auth/TODO Sun Mar 7 22:24:33 2010
@@ -1,6 +1,2 @@
- change filenames so we don't have everything starting with "data_source_"?
- store rdata in the database as binary blobs instead of text
-- correct NSEC3 logic:
- - closest encloser proof is incorrect; need to send covering NSEC3
- for the "next closest" name, not necessarily for the name itself
- - need to check for duplication in the resulting NSEC3's
Modified: trunk/src/lib/auth/data_source.cc
==============================================================================
--- trunk/src/lib/auth/data_source.cc (original)
+++ trunk/src/lib/auth/data_source.cc Sun Mar 7 22:24:33 2010
@@ -293,18 +293,18 @@
}
static inline DataSrc::Result
-addNSEC3(const string& hash, Query& q, const DataSrc* ds, const Name& zonename)
-{
- RRsetList nsec3;
- Message& m = q.message();
+getNsec3(Query& q, const DataSrc* ds, const Name& zonename, string& hash,
+ RRsetPtr target)
+{
DataSrc::Result result;
-
- result = ds->findCoveringNSEC3(q, hash, zonename, nsec3);
+ RRsetList rl;
+
+ result = ds->findCoveringNSEC3(q, zonename, hash, rl);
if (result != DataSrc::SUCCESS) {
- return (DataSrc::ERROR);
- }
-
- m.addRRset(Section::AUTHORITY(), nsec3[RRType::NSEC3()], true);
+ return (result);
+ }
+
+ target = rl[RRType::NSEC3()];
return (DataSrc::SUCCESS);
}
@@ -344,31 +344,60 @@
static inline DataSrc::Result
proveNX(Query& q, QueryTaskPtr task, const DataSrc* ds, const Name& zonename)
{
+ Message& m = q.message();
DataSrc::Result result;
+
ConstNsec3ParamPtr nsec3 = getNsec3Param(q, ds, zonename);
if (nsec3 != NULL) {
- string node(nsec3->getHash(task->qname));
- result = addNSEC3(node, q, ds, zonename);
+ // Attach the NSEC3 record covering the QNAME
+ RRsetPtr rrset;
+ string hash1(nsec3->getHash(task->qname));
+ result = getNsec3(q, ds, zonename, hash1, rrset);
if (result != DataSrc::SUCCESS) {
return (result);
}
-
- string apex(nsec3->getHash(zonename));
- if (node != apex) {
- result = addNSEC3(apex, q, ds, zonename);
+ m.addRRset(Section::AUTHORITY(), rrset, true);
+
+ // If this is an NXRRSET or NOERROR/NODATA, we're done
+ if ((task->flags & DataSrc::TYPE_NOT_FOUND) != 0) {
+ return (DataSrc::SUCCESS);
+ }
+
+ // Find the closest provable enclosing name for QNAME
+ Name enclosure(zonename);
+ int nlen = task->qname.getLabelCount();
+ int diff = nlen - enclosure.getLabelCount();
+ for (int i = 1; i <= diff; ++i) {
+ enclosure = task->qname.split(i, nlen - i);
+ string nodehash(nsec3->getHash(enclosure));
+ if (nodehash == hash1) {
+ break;
+ }
+ hash2 = nodehash;
+ RRsetList rl;
+
+ // hash2 will be overwritten with the actual hash found;
+ // we don't want to use one until we find an exact match
+ result = getNsec3(q, ds, zonename, hash2, rrset);
+ if (result != DataSrc::SUCCESS) {
+ return (DataSrc::ERROR);
+ }
+
+ if (hash2 == nodehash) {
+ m.addRRset(Section::AUTHORITY(), rrset, true);
+ break;
+ }
+ }
+
+ // Now add a covering NSEC3 for a wildcard under the
+ // closest provable enclosing name
+ string hash3(nsec3->getHash(Name("*").concatenate(enclosure)));
+ if (wild != hash1 && wild != hash2) {
+ result = getNsec3(q, ds, zonename, wild, rrset);
if (result != DataSrc::SUCCESS) {
return (result);
}
- }
-
- if ((task->flags & DataSrc::NAME_NOT_FOUND) != 0) {
- string wild(nsec3->getHash(Name("*").concatenate(zonename)));
- if (node != wild) {
- result = addNSEC3(wild, q, ds, zonename);
- if (result != DataSrc::SUCCESS) {
- return (result);
- }
- }
+ m.addRRset(Section::AUTHORITY(), rrset, true);
}
} else {
Name nsecname(task->qname);
Modified: trunk/src/lib/auth/data_source.h
==============================================================================
--- trunk/src/lib/auth/data_source.h (original)
+++ trunk/src/lib/auth/data_source.h Sun Mar 7 22:24:33 2010
@@ -146,8 +146,8 @@
// This MUST be implemented by concrete data sources which support
// NSEC3, but is optional for others
virtual Result findCoveringNSEC3(const Query& q,
- const std::string& hash,
const isc::dns::Name& zonename,
+ std::string& hash,
isc::dns::RRsetList& target) const = 0;
};
@@ -215,8 +215,8 @@
const isc::dns::Name* zonename) const = 0;
virtual Result findCoveringNSEC3(const Query& q,
- const std::string& hash,
const isc::dns::Name& zonename,
+ std::string& hash,
isc::dns::RRsetList& target) const = 0;
private:
@@ -293,8 +293,8 @@
}
virtual Result findCoveringNSEC3(const Query& q,
- const std::string& qname,
const isc::dns::Name& zonename,
+ std::string& hash,
isc::dns::RRsetList& target) const
{
return (NOT_IMPLEMENTED);
Modified: trunk/src/lib/auth/data_source_sqlite3.cc
==============================================================================
--- trunk/src/lib/auth/data_source_sqlite3.cc (original)
+++ trunk/src/lib/auth/data_source_sqlite3.cc Sun Mar 7 22:24:33 2010
@@ -549,8 +549,8 @@
DataSrc::Result
Sqlite3DataSrc::findCoveringNSEC3(const Query& q,
- const string& hashstr,
const Name& zonename,
+ string& hashstr,
RRsetList& target) const
{
int zone_id = findClosest(zonename.toText().c_str(), NULL);
@@ -614,7 +614,7 @@
flags) == 0 || flags != 0) {
result = ERROR;
}
-
+ hashstr = string(hash);
sqlite3_reset(q_nsec3);
return (result);
}
Modified: trunk/src/lib/auth/data_source_sqlite3.h
==============================================================================
--- trunk/src/lib/auth/data_source_sqlite3.h (original)
+++ trunk/src/lib/auth/data_source_sqlite3.h Sun Mar 7 22:24:33 2010
@@ -89,8 +89,8 @@
const isc::dns::Name* zonename) const;
Result findCoveringNSEC3(const Query& q,
- const std::string& hash,
const isc::dns::Name& zonename,
+ std::string& hash,
isc::dns::RRsetList& target) const;
Result init();
Modified: trunk/src/lib/auth/data_source_sqlite3_unittest.cc
==============================================================================
--- trunk/src/lib/auth/data_source_sqlite3_unittest.cc (original)
+++ trunk/src/lib/auth/data_source_sqlite3_unittest.cc Sun Mar 7 22:24:33 2010
@@ -677,8 +677,8 @@
const Name nsec3_zonename("sql2.example.com");
EXPECT_EQ(DataSrc::SUCCESS,
- data_source.findCoveringNSEC3(*query, hashstr, nsec3_zonename,
- result_sets));
+ data_source.findCoveringNSEC3(*query, nsec3_zonename,
+ hashstr, result_sets));
RRsetList::iterator it = result_sets.begin();
checkRRset(*it, Name(hashstr).concatenate(nsec3_zonename), RRClass::IN(),
RRType::NSEC3(), RRTTL(7200), nsec3_data, &nsec3_sig_data);
Modified: trunk/src/lib/auth/data_source_static.cc
==============================================================================
--- trunk/src/lib/auth/data_source_static.cc (original)
+++ trunk/src/lib/auth/data_source_static.cc Sun Mar 7 22:24:33 2010
@@ -175,8 +175,8 @@
}
DataSrc::Result
-StaticDataSrc::findCoveringNSEC3(const Query& q, const string& hash,
- const Name& zonename, RRsetList& target) const
+StaticDataSrc::findCoveringNSEC3(const Query& q, const Name& zonename,
+ string& hash, RRsetList& target) const
{
return (NOT_IMPLEMENTED);
}
Modified: trunk/src/lib/auth/data_source_static.h
==============================================================================
--- trunk/src/lib/auth/data_source_static.h (original)
+++ trunk/src/lib/auth/data_source_static.h Sun Mar 7 22:24:33 2010
@@ -82,8 +82,8 @@
const isc::dns::Name* zonename) const;
Result findCoveringNSEC3(const Query& q,
- const std::string& hash,
const isc::dns::Name& zonename,
+ std::string& hash,
isc::dns::RRsetList& target) const;
Result init();
Modified: trunk/src/lib/auth/unittest_ds.cc
==============================================================================
--- trunk/src/lib/auth/unittest_ds.cc (original)
+++ trunk/src/lib/auth/unittest_ds.cc Sun Mar 7 22:24:33 2010
@@ -775,8 +775,8 @@
DataSrc::Result
TestDataSrc::findCoveringNSEC3(const Query& q,
- const string& hash,
const Name& zonename,
+ string& hash,
RRsetList& target) const
{
return (NOT_IMPLEMENTED);
Modified: trunk/src/lib/auth/unittest_ds.h
==============================================================================
--- trunk/src/lib/auth/unittest_ds.h (original)
+++ trunk/src/lib/auth/unittest_ds.h Sun Mar 7 22:24:33 2010
@@ -86,8 +86,8 @@
const isc::dns::Name* zonename) const;
Result findCoveringNSEC3(const Query& q,
- const std::string& hash,
const isc::dns::Name& zonename,
+ std::string& hash,
isc::dns::RRsetList& target) const;
Result init();
More information about the bind10-changes
mailing list