BIND 10 master, updated. eb06cb8dfea727c5d9366583581ca674d23c4c2e Merge branch 'master' into trac1310
BIND 10 source code commits
bind10-changes at lists.isc.org
Tue Nov 29 01:57:18 UTC 2011
The branch, master has been updated
via eb06cb8dfea727c5d9366583581ca674d23c4c2e (commit)
via e35e9b8a1cef995079ef15b0321aa7b420139226 (commit)
via 97cf501e33b45c373aa12a3cb8ae76909d3522bc (commit)
via 8b92bb931e29b7b1bbb8147cda4f7d0aac507ac1 (commit)
via 1f6edd11fbf7e0143f99f20fc714044b989b299a (commit)
via 8279efec0dae2291665a99e4d489e8e5ef7a51c1 (commit)
via fda23d6cf412c2a90df325c244f79811d939d3c7 (commit)
via 32b1e0701a9b138321e510a432c5cdd49fa336c6 (commit)
from 5de824f59cd2ba7e8cbb3cc58c4cd42c585c09c3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit eb06cb8dfea727c5d9366583581ca674d23c4c2e
Merge: e35e9b8a1cef995079ef15b0321aa7b420139226 5de824f59cd2ba7e8cbb3cc58c4cd42c585c09c3
Author: Xie Jiagui <xiejiagui at cnnic.cn>
Date: Tue Nov 29 09:54:47 2011 +0800
Merge branch 'master' into trac1310
commit e35e9b8a1cef995079ef15b0321aa7b420139226
Author: Xie Jiagui <xiejiagui at cnnic.cn>
Date: Tue Nov 29 09:30:43 2011 +0800
[1310] Changed the comments
commit 97cf501e33b45c373aa12a3cb8ae76909d3522bc
Author: xiejiagui <xiejiagui at cnnic.cn>
Date: Fri Nov 25 09:33:17 2011 +0800
[1310] Add comments for two NSEC RRs which prove either NXDOMAIN
or NXRRSET of wildcard expansion.
commit 8b92bb931e29b7b1bbb8147cda4f7d0aac507ac1
Author: xiejiagui <xiejiagui at zenus.(none)>
Date: Sat Nov 19 17:04:10 2011 +0800
X
commit 1f6edd11fbf7e0143f99f20fc714044b989b299a
Author: xiejiagui <xiejiagui at zenus.(none)>
Date: Sat Nov 19 16:06:16 2011 +0800
[1310] Add unit test about two NSEC RRs which proved no matched
QNAME and via wildcard expansion no matched <QNAME,QTYPE>
commit 8279efec0dae2291665a99e4d489e8e5ef7a51c1
Author: xiejiagui <xiejiagui at cnnic.cn>
Date: Thu Nov 17 10:55:51 2011 +0800
[1310] Add dupicate check for NSEC RR.
commit fda23d6cf412c2a90df325c244f79811d939d3c7
Author: xiejiagui <xiejiagui at zenus.(none)>
Date: Wed Nov 16 14:28:05 2011 +0800
[1310] Add branch wildcard_nxrrset in query_unittest.cc
commit 32b1e0701a9b138321e510a432c5cdd49fa336c6
Author: xiejiagui <xiejiagui at zenus.(none)>
Date: Wed Nov 16 11:53:17 2011 +0800
[1310] Add WILDCARD_NXRRSET case in Query.process()
-----------------------------------------------------------------------
Summary of changes:
src/bin/auth/query.cc | 35 +++++++++++++++
src/bin/auth/query.h | 12 +++++
src/bin/auth/tests/query_unittest.cc | 77 +++++++++++++++++++++++++++++-----
3 files changed, 113 insertions(+), 11 deletions(-)
-----------------------------------------------------------------------
diff --git a/src/bin/auth/query.cc b/src/bin/auth/query.cc
index b2e0234..b7ee3b6 100644
--- a/src/bin/auth/query.cc
+++ b/src/bin/auth/query.cc
@@ -186,6 +186,35 @@ Query::addWildcardProof(ZoneFinder& finder) {
}
void
+Query::addWildcardNxrrsetProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
+ // There should be one NSEC RR which was found in the zone to prove
+ // that there is not matched <QNAME,QTYPE> via wildcard expansion.
+ if (nsec->getRdataCount() == 0) {
+ isc_throw(BadNSEC, "NSEC for WILDCARD_NXRRSET is empty");
+ return;
+ }
+ // Add this NSEC RR to authority section.
+ response_.addRRset(Message::SECTION_AUTHORITY,
+ boost::const_pointer_cast<RRset>(nsec), dnssec_);
+
+ const ZoneFinder::FindResult fresult =
+ finder.find(qname_, RRType::NSEC(), NULL,
+ dnssec_opt_ | ZoneFinder::NO_WILDCARD);
+ if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
+ fresult.rrset->getRdataCount() == 0) {
+ isc_throw(BadNSEC, "Unexpected result for no match QNAME proof");
+ return;
+ }
+
+ if (nsec->getName() != fresult.rrset->getName()) {
+ // one NSEC RR proves wildcard_nxrrset that no matched QNAME.
+ response_.addRRset(Message::SECTION_AUTHORITY,
+ boost::const_pointer_cast<RRset>(fresult.rrset),
+ dnssec_);
+ }
+}
+
+void
Query::addAuthAdditional(ZoneFinder& finder) {
// Fill in authority and addtional sections.
ZoneFinder::FindResult ns_result = finder.find(finder.getOrigin(),
@@ -355,6 +384,12 @@ Query::process() {
dnssec_);
}
break;
+ case ZoneFinder::WILDCARD_NXRRSET:
+ addSOA(*result.zone_finder);
+ if (dnssec_ && db_result.rrset) {
+ addWildcardNxrrsetProof(zfinder,db_result.rrset);
+ }
+ break;
default:
// This is basically a bug of the data source implementation,
// but could also happen in the middle of development where
diff --git a/src/bin/auth/query.h b/src/bin/auth/query.h
index 3282c0d..681feb2 100644
--- a/src/bin/auth/query.h
+++ b/src/bin/auth/query.h
@@ -82,6 +82,18 @@ private:
/// This corresponds to Section 3.1.3.3 of RFC 4035.
void addWildcardProof(isc::datasrc::ZoneFinder& finder);
+ /// \brief Adds one NSEC RR proved no matched QNAME,one NSEC RR proved no
+ /// matched <QNAME,QTYPE> through wildcard extension.
+ ///
+ /// Add NSEC RRs that prove an WILDCARD_NXRRSET result.
+ /// This corresponds to Section 3.1.3.4 of RFC 4035.
+ /// \param finder The ZoneFinder through which the authority data for the
+ /// query is to be found.
+ /// \param nsec The RRset (NSEC RR) which proved that there is no matched
+ /// <QNAME,QTTYPE>.
+ void addWildcardNxrrsetProof(isc::datasrc::ZoneFinder& finder,
+ isc::dns::ConstRRsetPtr nsec);
+
/// \brief Look up additional data (i.e., address records for the names
/// included in NS or MX records) and add them to the additional section.
///
diff --git a/src/bin/auth/tests/query_unittest.cc b/src/bin/auth/tests/query_unittest.cc
index 16a2409..43a2077 100644
--- a/src/bin/auth/tests/query_unittest.cc
+++ b/src/bin/auth/tests/query_unittest.cc
@@ -100,6 +100,15 @@ const char* const cnamewild_txt =
"*.cnamewild.example.com. 3600 IN CNAME www.example.org.\n";
const char* const nsec_cnamewild_txt = "*.cnamewild.example.com. "
"3600 IN NSEC delegation.example.com. CNAME NSEC RRSIG\n";
+// Wildcard_nxrrset
+const char* const wild_txt_nxrrset =
+ "*.uwild.example.com. 3600 IN A 192.0.2.9\n";
+const char* const nsec_wild_txt_nxrrset =
+ "*.uwild.example.com. 3600 IN NSEC www.uwild.example.com. A NSEC RRSIG\n";
+const char* const wild_txt_next =
+ "www.uwild.example.com. 3600 IN A 192.0.2.11\n";
+const char* const nsec_wild_txt_next =
+ "www.uwild.example.com. 3600 IN NSEC *.wild.example.com. A NSEC RRSIG\n";
// Used in NXDOMAIN proof test. We are going to test some unusual case where
// the best possible wildcard is below the "next domain" of the NSEC RR that
// proves the NXDOMAIN, i.e.,
@@ -116,7 +125,6 @@ const char* const nsec_mx_txt =
"mx.example.com. 3600 IN NSEC ).no.example.com. MX NSEC RRSIG\n";
const char* const nsec_no_txt =
").no.example.com. 3600 IN NSEC nz.no.example.com. AAAA NSEC RRSIG\n";
-
// We'll also test the case where a single NSEC proves both NXDOMAIN and the
// non existence of wildcard. The following records will be used for that
// test.
@@ -179,7 +187,9 @@ public:
other_zone_rrs << no_txt << nz_txt <<
nsec_apex_txt << nsec_mx_txt << nsec_no_txt << nsec_nz_txt <<
nsec_nxdomain_txt << nsec_www_txt << nonsec_a_txt <<
- wild_txt << nsec_wild_txt << cnamewild_txt << nsec_cnamewild_txt;
+ wild_txt << nsec_wild_txt << cnamewild_txt << nsec_cnamewild_txt <<
+ wild_txt_nxrrset<<nsec_wild_txt_nxrrset<<wild_txt_next<<
+ nsec_wild_txt_next;
masterLoad(zone_stream, origin_, rrclass_,
boost::bind(&MockZoneFinder::loadRRset, this, _1));
@@ -396,15 +406,26 @@ MockZoneFinder::find(const Name& name, const RRType& type,
// hardcoded specific cases, ignoring other details such as canceling
// due to the existence of closer name.
if ((options & NO_WILDCARD) == 0) {
- const Name wild_suffix("wild.example.com");
- if (name.compare(wild_suffix).getRelation() ==
- NameComparisonResult::SUBDOMAIN) {
- domain = domains_.find(Name("*").concatenate(wild_suffix));
- assert(domain != domains_.end());
- RRsetStore::const_iterator found_rrset = domain->second.find(type);
- assert(found_rrset != domain->second.end());
- return (FindResult(WILDCARD,
- substituteWild(*found_rrset->second, name)));
+ const Name wild_suffix(name.split(1));
+ if (name.equals(Name("www.wild.example.com"))||
+ name.equals(Name("www1.uwild.example.com"))) {
+ if (name.compare(wild_suffix).getRelation() ==
+ NameComparisonResult::SUBDOMAIN) {
+ domain = domains_.find(Name("*").concatenate(wild_suffix));
+ assert(domain != domains_.end());
+ RRsetStore::const_iterator found_rrset = domain->second.find(type);
+ if (found_rrset != domain->second.end()) {
+ return (FindResult(WILDCARD,
+ substituteWild(*found_rrset->second, name)));
+ } else {
+ found_rrset = domain->second.find(RRType::NSEC());
+ assert(found_rrset != domain->second.end());
+ Name newName = Name("*").concatenate(wild_suffix);
+ return (FindResult(WILDCARD_NXRRSET,
+ substituteWild(*found_rrset->second,newName)));
+ }
+
+ }
}
const Name cnamewild_suffix("cnamewild.example.com");
if (name.compare(cnamewild_suffix).getRelation() ==
@@ -924,6 +945,40 @@ TEST_F(QueryTest, badWildcardProof3) {
Query::BadNSEC);
}
+TEST_F(QueryTest, wildcardNxrrsetWithDuplicateNSEC) {
+ // WILDCARD_NXRRSET with DNSSEC proof. We should have SOA, NSEC that proves the
+ // NXRRSET and their RRSIGs. In this case we only need one NSEC,
+ // which proves both NXDOMAIN and the non existence RRSETs of wildcard.
+ Query(memory_client, Name("www.wild.example.com"), RRType::TXT(), response,
+ true).process();
+
+ responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 4, 0, NULL,
+ (string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
+ getCommonRRSIGText("SOA") + "\n" +
+ string(nsec_wild_txt) +
+ string("*.wild.example.com. 3600 IN RRSIG ") +
+ getCommonRRSIGText("NSEC")+"\n").c_str(),
+ NULL, mock_finder->getOrigin());
+}
+
+TEST_F(QueryTest, wildcardNxrrsetWithNSEC) {
+ // WILDCARD_NXRRSET with DNSSEC proof. We should have SOA, NSEC that proves the
+ // NXRRSET and their RRSIGs. In this case we need two NSEC RRs,
+ // one proves NXDOMAIN and the other proves non existence RRSETs of wildcard.
+ Query(memory_client, Name("www1.uwild.example.com"), RRType::TXT(), response,
+ true).process();
+
+ responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 6, 0, NULL,
+ (string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
+ getCommonRRSIGText("SOA") + "\n" +
+ string(nsec_wild_txt_nxrrset) +
+ string("*.uwild.example.com. 3600 IN RRSIG ") +
+ getCommonRRSIGText("NSEC")+"\n" +
+ string(nsec_wild_txt_next) +
+ string("www.uwild.example.com. 3600 IN RRSIG ") +
+ getCommonRRSIGText("NSEC") + "\n").c_str(),
+ NULL, mock_finder->getOrigin());
+}
/*
* This tests that when there's no SOA and we need a negative answer. It should
* throw in that case.
More information about the bind10-changes
mailing list