BIND 10 trac1310, updated. 8279efec0dae2291665a99e4d489e8e5ef7a51c1 [1310] Add dupicate check for NSEC RR.

BIND 10 source code commits bind10-changes at lists.isc.org
Thu Nov 17 03:01:49 UTC 2011 

The branch, trac1310 has been updated
       via  8279efec0dae2291665a99e4d489e8e5ef7a51c1 (commit)
      from  fda23d6cf412c2a90df325c244f79811d939d3c7 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 8279efec0dae2291665a99e4d489e8e5ef7a51c1
Author: xiejiagui <xiejiagui at cnnic.cn>
Date:   Thu Nov 17 10:55:51 2011 +0800

    [1310] Add dupicate check for NSEC RR.

-----------------------------------------------------------------------

Summary of changes:
 src/bin/auth/query.cc                |   44 +++++++++++++++++++++++++++++----
 src/bin/auth/query.h                 |    6 ++++
 src/bin/auth/tests/query_unittest.cc |    5 +--
 3 files changed, 46 insertions(+), 9 deletions(-)

-----------------------------------------------------------------------
diff --git a/src/bin/auth/query.cc b/src/bin/auth/query.cc
index 6f324f2..8f6ca50 100644
--- a/src/bin/auth/query.cc
+++ b/src/bin/auth/query.cc
@@ -186,6 +186,41 @@ Query::addWildcardProof(ZoneFinder& finder) {
 }
 
 void
+Query::addWildcardNxrrsetProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
+    // The query name shouldn't exist in the zone if there were no wildcard
+    // substitution.  Confirm that by specifying NO_WILDCARD.  It should result
+    // in NXDOMAIN and an NSEC RR that proves it should be returned.
+    if (nsec->getRdataCount() == 0) {
+	    isc_throw(BadNSEC, "NSEC for NXRRSET is empty");
+	    return;
+	}
+	
+	const ZoneFinder::FindResult fresult =
+        finder.find(qname_, RRType::NSEC(), NULL,
+                    dnssec_opt_ | ZoneFinder::NO_WILDCARD);
+    if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
+        fresult.rrset->getRdataCount() == 0) {
+        isc_throw(BadNSEC, "Unexpected result for no match QNAME proof");
+        return;
+    }
+   
+    if (nsec->getName() == fresult.rrset->getName()) {
+		// one NSEC RR proves wildcard_nxrrset and no matched QNAME.
+        response_.addRRset(Message::SECTION_AUTHORITY,
+                           boost::const_pointer_cast<RRset>(fresult.rrset),
+                           dnssec_);
+    } else {
+    	// add NSEC RR that proves wildcard_nxrrset.
+		response_.addRRset(Message::SECTION_AUTHORITY,
+                       boost::const_pointer_cast<RRset>(nsec), dnssec_);
+		// add NSEC RR that proves no matched QNAME.
+		response_.addRRset(Message::SECTION_AUTHORITY,
+                       boost::const_pointer_cast<RRset>(fresult.rrset),
+                       dnssec_);
+	}
+}
+
+void
 Query::addAuthAdditional(ZoneFinder& finder) {
     // Fill in authority and addtional sections.
     ZoneFinder::FindResult ns_result = finder.find(finder.getOrigin(),
@@ -356,12 +391,9 @@ Query::process() {
                 }
                 break;
 			case ZoneFinder::WILDCARD_NXRRSET:
-				addSOA(*result.zone_finder);
-				if(dnssec_ && db_result.rrset) {
-				   response_.addRRset(Message::SECTION_AUTHORITY,
-				   					  boost::const_pointer_cast<RRset>(
-									       db_result.rrset),
-									  dnssec_);
+                addSOA(*result.zone_finder);
+                if (dnssec_ && db_result.rrset) {
+					addWildcardNxrrsetProof(zfinder,db_result.rrset);
 				}
 				break;
             default:
diff --git a/src/bin/auth/query.h b/src/bin/auth/query.h
index 3282c0d..d4af955 100644
--- a/src/bin/auth/query.h
+++ b/src/bin/auth/query.h
@@ -82,6 +82,12 @@ private:
     /// This corresponds to Section 3.1.3.3 of RFC 4035.
     void addWildcardProof(isc::datasrc::ZoneFinder& finder);
 
+    /// Add NSEC RRs that prove an WILDCARD_NXRRSET result.
+    ///
+    /// This corresponds to Section 3.1.3.4 of RFC 4035.
+    void addWildcardNxrrsetProof(isc::datasrc::ZoneFinder& finder,
+                          isc::dns::ConstRRsetPtr nsec);
+
     /// \brief Look up additional data (i.e., address records for the names
     /// included in NS or MX records) and add them to the additional section.
     ///
diff --git a/src/bin/auth/tests/query_unittest.cc b/src/bin/auth/tests/query_unittest.cc
index 42741f4..b4f586d 100644
--- a/src/bin/auth/tests/query_unittest.cc
+++ b/src/bin/auth/tests/query_unittest.cc
@@ -116,7 +116,6 @@ const char* const nsec_mx_txt =
     "mx.example.com. 3600 IN NSEC ).no.example.com. MX NSEC RRSIG\n";
 const char* const nsec_no_txt =
     ").no.example.com. 3600 IN NSEC nz.no.example.com. AAAA NSEC RRSIG\n";
-
 // We'll also test the case where a single NSEC proves both NXDOMAIN and the
 // non existence of wildcard.  The following records will be used for that
 // test.
@@ -181,7 +180,7 @@ public:
             nsec_nxdomain_txt << nsec_www_txt << nonsec_a_txt <<
             wild_txt << nsec_wild_txt << cnamewild_txt << nsec_cnamewild_txt;
 
-        masterLoad(zone_stream, origin_, rrclass_,
+		masterLoad(zone_stream, origin_, rrclass_,
                    boost::bind(&MockZoneFinder::loadRRset, this, _1));
 
         empty_nsec_rrset_ = ConstRRsetPtr(new RRset(Name::ROOT_NAME(),
@@ -932,7 +931,7 @@ TEST_F(QueryTest, badWildcardProof3) {
                  Query::BadNSEC);
 }
 
-TEST_F(QueryTest, wildcardNxrrsetWithNSEC1) {
+TEST_F(QueryTest, wildcardNxrrsetWithDuplicateNSEC) {
     // NXRRSET with DNSSEC proof.  We should have SOA, NSEC that proves the
     // NXRRSET and their RRSIGs.
     Query(memory_client, Name("www.wild.example.com"), RRType::TXT(), response,

More information about the bind10-changes mailing list