BIND 10 trac1310, updated. 1f6edd11fbf7e0143f99f20fc714044b989b299a [1310] Add unit test about two NSEC RRs which proved no matched QNAME and via wildcard expansion no matched <QNAME, QTYPE>
BIND 10 source code commits
bind10-changes at lists.isc.org
Sat Nov 19 08:08:40 UTC 2011
The branch, trac1310 has been updated
via 1f6edd11fbf7e0143f99f20fc714044b989b299a (commit)
from 8279efec0dae2291665a99e4d489e8e5ef7a51c1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 1f6edd11fbf7e0143f99f20fc714044b989b299a
Author: xiejiagui <xiejiagui at zenus.(none)>
Date: Sat Nov 19 16:06:16 2011 +0800
[1310] Add unit test about two NSEC RRs which proved no matched
QNAME and via wildcard expansion no matched <QNAME,QTYPE>
-----------------------------------------------------------------------
Summary of changes:
src/bin/auth/query.cc | 22 ++++-------
src/bin/auth/query.h | 12 ++++-
src/bin/auth/tests/query_unittest.cc | 70 ++++++++++++++++++++++++---------
3 files changed, 68 insertions(+), 36 deletions(-)
-----------------------------------------------------------------------
diff --git a/src/bin/auth/query.cc b/src/bin/auth/query.cc
index 8f6ca50..b1b7f3d 100644
--- a/src/bin/auth/query.cc
+++ b/src/bin/auth/query.cc
@@ -187,13 +187,15 @@ Query::addWildcardProof(ZoneFinder& finder) {
void
Query::addWildcardNxrrsetProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
- // The query name shouldn't exist in the zone if there were no wildcard
- // substitution. Confirm that by specifying NO_WILDCARD. It should result
- // in NXDOMAIN and an NSEC RR that proves it should be returned.
+ // There should be one NSEC RR which was found in the zone to prove
+ // that there is not matched <QNAME,QTYPE> via wildcard expansion.
if (nsec->getRdataCount() == 0) {
- isc_throw(BadNSEC, "NSEC for NXRRSET is empty");
+ isc_throw(BadNSEC, "NSEC for WILDCARD_NXRRSET is empty");
return;
}
+ // Add this NSEC RR to authority section.
+ response_.addRRset(Message::SECTION_AUTHORITY,
+ boost::const_pointer_cast<RRset>(nsec), dnssec_);
const ZoneFinder::FindResult fresult =
finder.find(qname_, RRType::NSEC(), NULL,
@@ -204,19 +206,11 @@ Query::addWildcardNxrrsetProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
return;
}
- if (nsec->getName() == fresult.rrset->getName()) {
- // one NSEC RR proves wildcard_nxrrset and no matched QNAME.
+ if (nsec->getName() != fresult.rrset->getName()) {
+ // one NSEC RR proves wildcard_nxrrset that no matched QNAME.
response_.addRRset(Message::SECTION_AUTHORITY,
boost::const_pointer_cast<RRset>(fresult.rrset),
dnssec_);
- } else {
- // add NSEC RR that proves wildcard_nxrrset.
- response_.addRRset(Message::SECTION_AUTHORITY,
- boost::const_pointer_cast<RRset>(nsec), dnssec_);
- // add NSEC RR that proves no matched QNAME.
- response_.addRRset(Message::SECTION_AUTHORITY,
- boost::const_pointer_cast<RRset>(fresult.rrset),
- dnssec_);
}
}
diff --git a/src/bin/auth/query.h b/src/bin/auth/query.h
index d4af955..2f044c1 100644
--- a/src/bin/auth/query.h
+++ b/src/bin/auth/query.h
@@ -82,11 +82,17 @@ private:
/// This corresponds to Section 3.1.3.3 of RFC 4035.
void addWildcardProof(isc::datasrc::ZoneFinder& finder);
- /// Add NSEC RRs that prove an WILDCARD_NXRRSET result.
- ///
+ /// \brief Adds one NSEC RR proved no matched QNAME,one NSEC RR proved no
+ /// matched <QNAME,QTYPE> through wildcard extension.
+ ///
+ /// Add NSEC RRs that prove an WILDCARD_NXRRSET result.
/// This corresponds to Section 3.1.3.4 of RFC 4035.
+ /// \param finder The ZoneFinder through which the authority data for the
+ /// query is to be found.
+ /// \param nsec The RRset (NSEC RR) which proved that there is no matched
+ /// <QNAME,QTTYPE>.
void addWildcardNxrrsetProof(isc::datasrc::ZoneFinder& finder,
- isc::dns::ConstRRsetPtr nsec);
+ isc::dns::ConstRRsetPtr nsec);
/// \brief Look up additional data (i.e., address records for the names
/// included in NS or MX records) and add them to the additional section.
diff --git a/src/bin/auth/tests/query_unittest.cc b/src/bin/auth/tests/query_unittest.cc
index b4f586d..656ddb7 100644
--- a/src/bin/auth/tests/query_unittest.cc
+++ b/src/bin/auth/tests/query_unittest.cc
@@ -100,6 +100,15 @@ const char* const cnamewild_txt =
"*.cnamewild.example.com. 3600 IN CNAME www.example.org.\n";
const char* const nsec_cnamewild_txt = "*.cnamewild.example.com. "
"3600 IN NSEC delegation.example.com. CNAME NSEC RRSIG\n";
+// Wildcard_nxrrset
+const char* const wild_txt_nxrrset =
+ "*.uwild.example.com. 3600 IN A 192.0.2.9\n";
+const char* const nsec_wild_txt_nxrrset =
+ "*.uwild.example.com. 3600 IN NSEC www.uwild.example.com. A NSEC RRSIG\n";
+const char* const wild_txt_next =
+ "www.uwild.example.com. 3600 IN A 192.0.2.11\n";
+const char* const nsec_wild_txt_next =
+ "www.uwild.example.com. 3600 IN NSEC *.wild.example.com. A NSEC RRSIG\n";
// Used in NXDOMAIN proof test. We are going to test some unusual case where
// the best possible wildcard is below the "next domain" of the NSEC RR that
// proves the NXDOMAIN, i.e.,
@@ -178,7 +187,9 @@ public:
other_zone_rrs << no_txt << nz_txt <<
nsec_apex_txt << nsec_mx_txt << nsec_no_txt << nsec_nz_txt <<
nsec_nxdomain_txt << nsec_www_txt << nonsec_a_txt <<
- wild_txt << nsec_wild_txt << cnamewild_txt << nsec_cnamewild_txt;
+ wild_txt << nsec_wild_txt << cnamewild_txt << nsec_cnamewild_txt <<
+ wild_txt_nxrrset<<nsec_wild_txt_nxrrset<<wild_txt_next<<
+ nsec_wild_txt_next;
masterLoad(zone_stream, origin_, rrclass_,
boost::bind(&MockZoneFinder::loadRRset, this, _1));
@@ -395,24 +406,28 @@ MockZoneFinder::find(const Name& name, const RRType& type,
// hardcoded specific cases, ignoring other details such as canceling
// due to the existence of closer name.
if ((options & NO_WILDCARD) == 0) {
- const Name wild_suffix("wild.example.com");
- if (name.compare(wild_suffix).getRelation() ==
- NameComparisonResult::SUBDOMAIN) {
- domain = domains_.find(Name("*").concatenate(wild_suffix));
- assert(domain != domains_.end());
- RRsetStore::const_iterator found_rrset = domain->second.find(type);
- if (found_rrset != domain->second.end()) {
- return (FindResult(WILDCARD,
- substituteWild(*found_rrset->second, name)));
- } else {
- found_rrset = domain->second.find(RRType::NSEC());
- assert(found_rrset != domain->second.end());
- Name newName = Name("*").concatenate(wild_suffix);
- return (FindResult(WILDCARD_NXRRSET,
- substituteWild(*found_rrset->second,newName)));
- }
-
- }
+ //const Name wild_suffix("wild.example.com");
+ const Name wild_suffix(name.split(1));
+ if (name.equals(Name("www.wild.example.com"))||
+ name.equals(Name("www1.uwild.example.com"))) {
+ if (name.compare(wild_suffix).getRelation() ==
+ NameComparisonResult::SUBDOMAIN) {
+ domain = domains_.find(Name("*").concatenate(wild_suffix));
+ assert(domain != domains_.end());
+ RRsetStore::const_iterator found_rrset = domain->second.find(type);
+ if (found_rrset != domain->second.end()) {
+ return (FindResult(WILDCARD,
+ substituteWild(*found_rrset->second, name)));
+ } else {
+ found_rrset = domain->second.find(RRType::NSEC());
+ assert(found_rrset != domain->second.end());
+ Name newName = Name("*").concatenate(wild_suffix);
+ return (FindResult(WILDCARD_NXRRSET,
+ substituteWild(*found_rrset->second,newName)));
+ }
+
+ }
+ }
const Name cnamewild_suffix("cnamewild.example.com");
if (name.compare(cnamewild_suffix).getRelation() ==
NameComparisonResult::SUBDOMAIN) {
@@ -946,6 +961,23 @@ TEST_F(QueryTest, wildcardNxrrsetWithDuplicateNSEC) {
NULL, mock_finder->getOrigin());
}
+TEST_F(QueryTest, wildcardNxrrsetWithNSEC) {
+ // NXRRSET with DNSSEC proof. We should have SOA, NSEC that proves the
+ // NXRRSET and their RRSIGs.
+ Query(memory_client, Name("www1.uwild.example.com"), RRType::TXT(), response,
+ true).process();
+
+ responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 6, 0, NULL,
+ (string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
+ getCommonRRSIGText("SOA") + "\n" +
+ string(nsec_wild_txt_nxrrset) +
+ string("*.uwild.example.com. 3600 IN RRSIG ") +
+ getCommonRRSIGText("NSEC")+"\n" +
+ string(nsec_wild_txt_next) +
+ string("www.uwild.example.com. 3600 IN RRSIG ") +
+ getCommonRRSIGText("NSEC") + "\n").c_str(),
+ NULL, mock_finder->getOrigin());
+}
/*
* This tests that when there's no SOA and we need a negative answer. It should
* throw in that case.
More information about the bind10-changes
mailing list