BIND 10 trac1177, updated. f847a5e079ceae0346b84fb320ed06ce9b443a63 [1177] NSEC for NXDOMAIN
BIND 10 source code commits
bind10-changes at lists.isc.org
Fri Sep 9 11:48:11 UTC 2011
The branch, trac1177 has been updated
via f847a5e079ceae0346b84fb320ed06ce9b443a63 (commit)
via 05512e090c6c3cb852cebdb85ae7c12e8001603b (commit)
from c35f6b15bb6b703154e05399266dd2051ef9cfa9 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f847a5e079ceae0346b84fb320ed06ce9b443a63
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Fri Sep 9 13:47:09 2011 +0200
[1177] NSEC for NXDOMAIN
Just for the common one, though. Empty non-terminal and wildcards must
be solved yet.
commit 05512e090c6c3cb852cebdb85ae7c12e8001603b
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Fri Sep 9 13:23:34 2011 +0200
[1177] Tests for NXDOMAIN NSEC case
-----------------------------------------------------------------------
Summary of changes:
src/lib/datasrc/database.cc | 32 +++++++++++++++++++++++++-
src/lib/datasrc/tests/database_unittest.cc | 33 ++++++++++++++++++++++++++++
2 files changed, 63 insertions(+), 2 deletions(-)
-----------------------------------------------------------------------
diff --git a/src/lib/datasrc/database.cc b/src/lib/datasrc/database.cc
index f82e641..9ff455f 100644
--- a/src/lib/datasrc/database.cc
+++ b/src/lib/datasrc/database.cc
@@ -326,6 +326,8 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
// In case we are in GLUE_OK mode and start matching wildcards,
// we can't do it under NS, so we store it here to check
isc::dns::RRsetPtr first_ns;
+ // This is used at multiple places
+ static WantedTypes nsec_types(empty_types + RRType::NSEC());
// First, do we have any kind of delegation (NS/DNAME) here?
Name origin(getOrigin());
@@ -497,8 +499,8 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
// However, we need to get the RRset in the
// name of the wildcard, not the constructed
// one, so we walk it again
- found = getRRsets(wildcard, empty_types +
- RRType::NSEC(), true);
+ found = getRRsets(wildcard, nsec_types,
+ true);
result_rrset =
found.second.find(RRType::NSEC())->
second;
@@ -526,6 +528,32 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
break;
}
}
+ // This is the NXDOMAIN case (nothing found anywhere). If
+ // they wand DNSSEC data, try getting the NSEC record
+ if (dnssec_data && !records_found) {
+ try {
+ // Which one should contain the NSEC record?
+ const Name coverName(findPreviousName(name));
+ // Get the record and copy it out
+ found = getRRsets(coverName, nsec_types, true);
+ const FoundIterator
+ nci(found.second.find(RRType::NSEC()));
+ if (nci != found.second.end()) {
+ result_status = NXDOMAIN;
+ result_rrset = nci->second;
+ } else {
+ // The previous doesn't contain NSEC, bug?
+ isc_throw(DataSourceError, "No NSEC in " +
+ coverName.toText() + ", but it was "
+ "returned as previous - "
+ "accessor error?");
+ }
+ }
+ catch (const isc::NotImplemented&) {
+ // Well, they want DNSSEC, but there is no available.
+ // So we don't provide anything.
+ }
+ }
}
} else if (dnssec_data) {
// This is the "usual" NXRRSET case
diff --git a/src/lib/datasrc/tests/database_unittest.cc b/src/lib/datasrc/tests/database_unittest.cc
index 337b8c5..6cb2ae4 100644
--- a/src/lib/datasrc/tests/database_unittest.cc
+++ b/src/lib/datasrc/tests/database_unittest.cc
@@ -552,6 +552,8 @@ public:
} else if (rname == "org.example.www2." ||
rname == "org.example.www1.") {
return ("www.example.org.");
+ } else if (rname == "org.example.notimplnsec.") {
+ isc_throw(isc::NotImplemented, "Not implemented in this test");
} else {
isc_throw(isc::Unexpected, "Unexpected name");
}
@@ -1611,6 +1613,37 @@ TYPED_TEST(DatabaseClientTest, wildcardNXRRSET_NSEC) {
Name("*.wild.example.org"), ZoneFinder::FIND_DNSSEC);
}
+TYPED_TEST(DatabaseClientTest, NXDOMAIN_NSEC) {
+ // The domain doesn't exist, so we must get the right NSEC
+ shared_ptr<DatabaseClient::Finder> finder(this->getFinder());
+
+ this->expected_rdatas_.push_back("www2.example.org. A AAAA NSEC RRSIG");
+ this->expected_sig_rdatas_.push_back("NSEC 5 3 3600 20000101000000 "
+ "20000201000000 12345 example.org. "
+ "FAKEFAKEFAKE");
+ doFindTest(*finder, isc::dns::Name("www1.example.org."),
+ isc::dns::RRType::TXT(), isc::dns::RRType::NSEC(),
+ isc::dns::RRTTL(3600),
+ ZoneFinder::NXDOMAIN,
+ this->expected_rdatas_, this->expected_sig_rdatas_,
+ Name("www.example.org."), ZoneFinder::FIND_DNSSEC);
+
+ // Check that if the DB doesn't support it, the exception from there
+ // is not propagated and it only does not include the NSEC
+ if (!this->is_mock_) {
+ return; // We don't make the real DB to throw
+ }
+ this->expected_rdatas_.clear();
+ this->expected_sig_rdatas_.clear();
+ EXPECT_NO_THROW(doFindTest(*finder,
+ isc::dns::Name("notimplnsec.example.org."),
+ isc::dns::RRType::TXT(),
+ isc::dns::RRType::NSEC(),
+ isc::dns::RRTTL(3600), ZoneFinder::NXDOMAIN,
+ this->expected_rdatas_,
+ this->expected_sig_rdatas_,
+ Name::ROOT_NAME(), ZoneFinder::FIND_DNSSEC));
+}
TYPED_TEST(DatabaseClientTest, getOrigin) {
DataSourceClient::FindResult
More information about the bind10-changes
mailing list