BIND 10 trac1310, updated. 97cf501e33b45c373aa12a3cb8ae76909d3522bc [1310] Add comments for two NSEC RRs which prove either NXDOMAIN or NXRRSET of wildcard expansion.
BIND 10 source code commits
bind10-changes at lists.isc.org
Fri Nov 25 01:38:20 UTC 2011
The branch, trac1310 has been updated
via 97cf501e33b45c373aa12a3cb8ae76909d3522bc (commit)
from 8b92bb931e29b7b1bbb8147cda4f7d0aac507ac1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 97cf501e33b45c373aa12a3cb8ae76909d3522bc
Author: xiejiagui <xiejiagui at cnnic.cn>
Date: Fri Nov 25 09:33:17 2011 +0800
[1310] Add comments for two NSEC RRs which prove either NXDOMAIN
or NXRRSET of wildcard expansion.
-----------------------------------------------------------------------
Summary of changes:
src/bin/auth/query.cc | 28 +++++++-------
src/bin/auth/query.h | 18 ++++----
src/bin/auth/tests/query_unittest.cc | 70 +++++++++++++++++----------------
3 files changed, 59 insertions(+), 57 deletions(-)
-----------------------------------------------------------------------
diff --git a/src/bin/auth/query.cc b/src/bin/auth/query.cc
index b1b7f3d..b7ee3b6 100644
--- a/src/bin/auth/query.cc
+++ b/src/bin/auth/query.cc
@@ -188,16 +188,16 @@ Query::addWildcardProof(ZoneFinder& finder) {
void
Query::addWildcardNxrrsetProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
// There should be one NSEC RR which was found in the zone to prove
- // that there is not matched <QNAME,QTYPE> via wildcard expansion.
+ // that there is not matched <QNAME,QTYPE> via wildcard expansion.
if (nsec->getRdataCount() == 0) {
- isc_throw(BadNSEC, "NSEC for WILDCARD_NXRRSET is empty");
- return;
- }
+ isc_throw(BadNSEC, "NSEC for WILDCARD_NXRRSET is empty");
+ return;
+ }
// Add this NSEC RR to authority section.
- response_.addRRset(Message::SECTION_AUTHORITY,
+ response_.addRRset(Message::SECTION_AUTHORITY,
boost::const_pointer_cast<RRset>(nsec), dnssec_);
-
- const ZoneFinder::FindResult fresult =
+
+ const ZoneFinder::FindResult fresult =
finder.find(qname_, RRType::NSEC(), NULL,
dnssec_opt_ | ZoneFinder::NO_WILDCARD);
if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
@@ -207,13 +207,13 @@ Query::addWildcardNxrrsetProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
}
if (nsec->getName() != fresult.rrset->getName()) {
- // one NSEC RR proves wildcard_nxrrset that no matched QNAME.
+ // one NSEC RR proves wildcard_nxrrset that no matched QNAME.
response_.addRRset(Message::SECTION_AUTHORITY,
boost::const_pointer_cast<RRset>(fresult.rrset),
dnssec_);
- }
+ }
}
-
+
void
Query::addAuthAdditional(ZoneFinder& finder) {
// Fill in authority and addtional sections.
@@ -384,12 +384,12 @@ Query::process() {
dnssec_);
}
break;
- case ZoneFinder::WILDCARD_NXRRSET:
+ case ZoneFinder::WILDCARD_NXRRSET:
addSOA(*result.zone_finder);
if (dnssec_ && db_result.rrset) {
- addWildcardNxrrsetProof(zfinder,db_result.rrset);
- }
- break;
+ addWildcardNxrrsetProof(zfinder,db_result.rrset);
+ }
+ break;
default:
// This is basically a bug of the data source implementation,
// but could also happen in the middle of development where
diff --git a/src/bin/auth/query.h b/src/bin/auth/query.h
index 2f044c1..681feb2 100644
--- a/src/bin/auth/query.h
+++ b/src/bin/auth/query.h
@@ -83,17 +83,17 @@ private:
void addWildcardProof(isc::datasrc::ZoneFinder& finder);
/// \brief Adds one NSEC RR proved no matched QNAME,one NSEC RR proved no
- /// matched <QNAME,QTYPE> through wildcard extension.
- ///
- /// Add NSEC RRs that prove an WILDCARD_NXRRSET result.
+ /// matched <QNAME,QTYPE> through wildcard extension.
+ ///
+ /// Add NSEC RRs that prove an WILDCARD_NXRRSET result.
/// This corresponds to Section 3.1.3.4 of RFC 4035.
- /// \param finder The ZoneFinder through which the authority data for the
- /// query is to be found.
- /// \param nsec The RRset (NSEC RR) which proved that there is no matched
- /// <QNAME,QTTYPE>.
+ /// \param finder The ZoneFinder through which the authority data for the
+ /// query is to be found.
+ /// \param nsec The RRset (NSEC RR) which proved that there is no matched
+ /// <QNAME,QTTYPE>.
void addWildcardNxrrsetProof(isc::datasrc::ZoneFinder& finder,
- isc::dns::ConstRRsetPtr nsec);
-
+ isc::dns::ConstRRsetPtr nsec);
+
/// \brief Look up additional data (i.e., address records for the names
/// included in NS or MX records) and add them to the additional section.
///
diff --git a/src/bin/auth/tests/query_unittest.cc b/src/bin/auth/tests/query_unittest.cc
index 5ac2d94..169eb40 100644
--- a/src/bin/auth/tests/query_unittest.cc
+++ b/src/bin/auth/tests/query_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+/ Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
@@ -102,13 +102,13 @@ const char* const nsec_cnamewild_txt = "*.cnamewild.example.com. "
"3600 IN NSEC delegation.example.com. CNAME NSEC RRSIG\n";
// Wildcard_nxrrset
const char* const wild_txt_nxrrset =
- "*.uwild.example.com. 3600 IN A 192.0.2.9\n";
+ "*.uwild.example.com. 3600 IN A 192.0.2.9\n";
const char* const nsec_wild_txt_nxrrset =
- "*.uwild.example.com. 3600 IN NSEC www.uwild.example.com. A NSEC RRSIG\n";
+ "*.uwild.example.com. 3600 IN NSEC www.uwild.example.com. A NSEC RRSIG\n";
const char* const wild_txt_next =
- "www.uwild.example.com. 3600 IN A 192.0.2.11\n";
+ "www.uwild.example.com. 3600 IN A 192.0.2.11\n";
const char* const nsec_wild_txt_next =
- "www.uwild.example.com. 3600 IN NSEC *.wild.example.com. A NSEC RRSIG\n";
+ "www.uwild.example.com. 3600 IN NSEC *.wild.example.com. A NSEC RRSIG\n";
// Used in NXDOMAIN proof test. We are going to test some unusual case where
// the best possible wildcard is below the "next domain" of the NSEC RR that
// proves the NXDOMAIN, i.e.,
@@ -191,7 +191,7 @@ public:
wild_txt_nxrrset<<nsec_wild_txt_nxrrset<<wild_txt_next<<
nsec_wild_txt_next;
- masterLoad(zone_stream, origin_, rrclass_,
+ masterLoad(zone_stream, origin_, rrclass_,
boost::bind(&MockZoneFinder::loadRRset, this, _1));
empty_nsec_rrset_ = ConstRRsetPtr(new RRset(Name::ROOT_NAME(),
@@ -406,27 +406,27 @@ MockZoneFinder::find(const Name& name, const RRType& type,
// hardcoded specific cases, ignoring other details such as canceling
// due to the existence of closer name.
if ((options & NO_WILDCARD) == 0) {
- const Name wild_suffix(name.split(1));
- if (name.equals(Name("www.wild.example.com"))||
- name.equals(Name("www1.uwild.example.com"))) {
- if (name.compare(wild_suffix).getRelation() ==
- NameComparisonResult::SUBDOMAIN) {
- domain = domains_.find(Name("*").concatenate(wild_suffix));
- assert(domain != domains_.end());
- RRsetStore::const_iterator found_rrset = domain->second.find(type);
- if (found_rrset != domain->second.end()) {
- return (FindResult(WILDCARD,
+ const Name wild_suffix(name.split(1));
+ if (name.equals(Name("www.wild.example.com"))||
+ name.equals(Name("www1.uwild.example.com"))) {
+ if (name.compare(wild_suffix).getRelation() ==
+ NameComparisonResult::SUBDOMAIN) {
+ domain = domains_.find(Name("*").concatenate(wild_suffix));
+ assert(domain != domains_.end());
+ RRsetStore::const_iterator found_rrset = domain->second.find(type);
+ if (found_rrset != domain->second.end()) {
+ return (FindResult(WILDCARD,
substituteWild(*found_rrset->second, name)));
- } else {
- found_rrset = domain->second.find(RRType::NSEC());
- assert(found_rrset != domain->second.end());
- Name newName = Name("*").concatenate(wild_suffix);
- return (FindResult(WILDCARD_NXRRSET,
- substituteWild(*found_rrset->second,newName)));
- }
-
- }
- }
+ } else {
+ found_rrset = domain->second.find(RRType::NSEC());
+ assert(found_rrset != domain->second.end());
+ Name newName = Name("*").concatenate(wild_suffix);
+ return (FindResult(WILDCARD_NXRRSET,
+ substituteWild(*found_rrset->second,newName)));
+ }
+
+ }
+ }
const Name cnamewild_suffix("cnamewild.example.com");
if (name.compare(cnamewild_suffix).getRelation() ==
NameComparisonResult::SUBDOMAIN) {
@@ -946,8 +946,9 @@ TEST_F(QueryTest, badWildcardProof3) {
}
TEST_F(QueryTest, wildcardNxrrsetWithDuplicateNSEC) {
- // NXRRSET with DNSSEC proof. We should have SOA, NSEC that proves the
- // NXRRSET and their RRSIGs.
+ // WILDCARD_NXRRSET with DNSSEC proof. We should have SOA, NSEC that proves the
+ // NXRRSET and their RRSIGs. In this case we only need one NSEC,
+ // which proves both NXDOMAIN and the non existence RRSETs of wildcard.
Query(memory_client, Name("www.wild.example.com"), RRType::TXT(), response,
true).process();
@@ -961,20 +962,21 @@ TEST_F(QueryTest, wildcardNxrrsetWithDuplicateNSEC) {
}
TEST_F(QueryTest, wildcardNxrrsetWithNSEC) {
- // NXRRSET with DNSSEC proof. We should have SOA, NSEC that proves the
- // NXRRSET and their RRSIGs.
+ // WILDCARD_NXRRSET with DNSSEC proof. We should have SOA, NSEC that proves the
+ // NXRRSET and their RRSIGs. In this case we need two NSEC RRs,
+ // one proves NXDOMAIN and the other proves non existence RRSETs of wildcard.
Query(memory_client, Name("www1.uwild.example.com"), RRType::TXT(), response,
true).process();
- responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 6, 0, NULL,
+ responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 6, 0, NULL,
(string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
getCommonRRSIGText("SOA") + "\n" +
string(nsec_wild_txt_nxrrset) +
string("*.uwild.example.com. 3600 IN RRSIG ") +
getCommonRRSIGText("NSEC")+"\n" +
- string(nsec_wild_txt_next) +
- string("www.uwild.example.com. 3600 IN RRSIG ") +
- getCommonRRSIGText("NSEC") + "\n").c_str(),
+ string(nsec_wild_txt_next) +
+ string("www.uwild.example.com. 3600 IN RRSIG ") +
+ getCommonRRSIGText("NSEC") + "\n").c_str(),
NULL, mock_finder->getOrigin());
}
/*
More information about the bind10-changes
mailing list