BIND 10 trac1177, updated. d36ded7d95a695f0412f6ccdb59bf55fc600e9d3 [1177] More details about returned NSEC in doc
BIND 10 source code commits
bind10-changes at lists.isc.org
Mon Sep 26 11:19:23 UTC 2011
The branch, trac1177 has been updated
via d36ded7d95a695f0412f6ccdb59bf55fc600e9d3 (commit)
via b8e90124c19177e0b6b33bd624e244860e2424b3 (commit)
via 5cf1b7ab58c42675c1396fbbd5b1aaf037eb8d19 (commit)
via 17d9827aa40e363650d1698fddba9204f27b5171 (commit)
via 27f447c8b054b17d96abfba431568c1ffe017f0a (commit)
from 70bba1b3f811261fcef30694568245e83cd64bc5 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d36ded7d95a695f0412f6ccdb59bf55fc600e9d3
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Mon Sep 26 13:18:49 2011 +0200
[1177] More details about returned NSEC in doc
commit b8e90124c19177e0b6b33bd624e244860e2424b3
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Mon Sep 26 13:12:52 2011 +0200
[1177] Tests for names before origin
commit 5cf1b7ab58c42675c1396fbbd5b1aaf037eb8d19
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Mon Sep 26 13:04:18 2011 +0200
[1177] Don't throw on missing NSEC
Because it can't be distinguished from unsigned zone for now. Should be
temporary solution for now.
commit 17d9827aa40e363650d1698fddba9204f27b5171
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Mon Sep 26 12:52:15 2011 +0200
[1177] Bugfix: don't check for NS-alone in apex
commit 27f447c8b054b17d96abfba431568c1ffe017f0a
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Mon Sep 26 12:38:53 2011 +0200
[1177] Reuse common code
-----------------------------------------------------------------------
Summary of changes:
src/lib/datasrc/database.cc | 87 ++++++++++----------
src/lib/datasrc/database.h | 17 ++++
src/lib/datasrc/tests/database_unittest.cc | 31 +++++++
src/lib/datasrc/tests/sqlite3_accessor_unittest.cc | 5 +
src/lib/datasrc/zone.h | 11 +++
5 files changed, 107 insertions(+), 44 deletions(-)
-----------------------------------------------------------------------
diff --git a/src/lib/datasrc/database.cc b/src/lib/datasrc/database.cc
index 591099c..a8c6bae 100644
--- a/src/lib/datasrc/database.cc
+++ b/src/lib/datasrc/database.cc
@@ -351,6 +351,44 @@ FINAL_TYPES() {
}
+RRsetPtr
+DatabaseClient::Finder::findNSECCover(const Name& name) {
+ try {
+ // Which one should contain the NSEC record?
+ const Name coverName(findPreviousName(name));
+ // Get the record and copy it out
+ FoundRRsets found = getRRsets(coverName.toText(), NSEC_TYPES(),
+ coverName != getOrigin());
+ const FoundIterator
+ nci(found.second.find(RRType::NSEC()));
+ if (nci != found.second.end()) {
+ return (nci->second);
+ } else {
+ // The previous doesn't contain NSEC.
+ // Badly signed zone or a bug?
+
+ // FIXME: Currently, if the zone is not signed, we could get
+ // here. In that case we can't really throw, but for now, we can't
+ // recognize it. So we don't throw at all, enable it once
+ // we have a is_signed flag or something.
+#if 0
+ isc_throw(DataSourceError, "No NSEC in " +
+ coverName.toText() + ", but it was "
+ "returned as previous - "
+ "accessor error? Badly signed zone?");
+#endif
+ }
+ }
+ catch (const isc::NotImplemented&) {
+ // Well, they want DNSSEC, but there is no available.
+ // So we don't provide anything.
+ LOG_INFO(logger, DATASRC_DATABASE_COVER_NSEC_UNSUPPORTED).
+ arg(accessor_->getDBName()).arg(name);
+ }
+ // We didn't find it, return nothing
+ return (RRsetPtr());
+}
+
ZoneFinder::FindResult
DatabaseClient::Finder::find(const isc::dns::Name& name,
const isc::dns::RRType& type,
@@ -381,9 +419,6 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
// This is how many labels we remove to get origin
size_t remove_labels(current_label_count - origin_label_count);
- // Type shortcut, used a lot here
- typedef std::map<RRType, RRsetPtr>::const_iterator FoundIterator;
-
// Now go trough all superdomains from origin down
for (int i(remove_labels); i > 0; --i) {
Name superdomain(name.split(i));
@@ -563,24 +598,9 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
arg(accessor_->getDBName()).arg(wildcard).
arg(name);
if (dnssec_data) {
- // Which one should contain the NSEC record?
- const Name
- coverName(findPreviousName(Name(wildcard)));
- // Get the record and copy it out
- found = getRRsets(coverName.toText(), NSEC_TYPES(),
- true);
- const FoundIterator
- nci(found.second.find(RRType::NSEC()));
- if (nci != found.second.end()) {
+ result_rrset = findNSECCover(Name(wildcard));
+ if (result_rrset) {
result_status = WILDCARD_NXRRSET;
- result_rrset = nci->second;
- } else {
- // The previous doesn't contain NSEC.
- // Badly signed zone or a bug?
- isc_throw(DataSourceError, "No NSEC in " +
- coverName.toText() + ", but it was "
- "returned as previous - "
- "accessor error? Badly signed zone?");
}
}
break;
@@ -608,30 +628,9 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
if (result_status == SUCCESS) {
// Should we look for NSEC covering the name?
if (get_cover) {
- try {
- // Which one should contain the NSEC record?
- const Name coverName(findPreviousName(name));
- // Get the record and copy it out
- found = getRRsets(coverName.toText(), NSEC_TYPES(), true);
- const FoundIterator
- nci(found.second.find(RRType::NSEC()));
- if (nci != found.second.end()) {
- result_status = NXDOMAIN;
- result_rrset = nci->second;
- } else {
- // The previous doesn't contain NSEC.
- // Badly signed zone or a bug?
- isc_throw(DataSourceError, "No NSEC in " +
- coverName.toText() + ", but it was "
- "returned as previous - "
- "accessor error? Badly signed zone?");
- }
- }
- catch (const isc::NotImplemented&) {
- // Well, they want DNSSEC, but there is no available.
- // So we don't provide anything.
- LOG_INFO(logger, DATASRC_DATABASE_COVER_NSEC_UNSUPPORTED).
- arg(accessor_->getDBName()).arg(name);
+ result_rrset = findNSECCover(name);
+ if (result_rrset) {
+ result_status = NXDOMAIN;
}
}
// Something is not here and we didn't decide yet what
diff --git a/src/lib/datasrc/database.h b/src/lib/datasrc/database.h
index 5e66f33..8295779 100644
--- a/src/lib/datasrc/database.h
+++ b/src/lib/datasrc/database.h
@@ -691,6 +691,23 @@ public:
* \param name The domain to check.
*/
bool hasSubdomains(const std::string& name);
+
+ /**
+ * \brief Get the NSEC covering a name.
+ *
+ * This one calls findPreviousName on the given name and extracts an NSEC
+ * record on the result. It handles various error cases. The method exists
+ * to share code present at more than one location.
+ */
+ dns::RRsetPtr findNSECCover(const dns::Name& name);
+
+ /**
+ * \brief Convenience type shortcut.
+ *
+ * To find stuff in the result of getRRsets.
+ */
+ typedef std::map<dns::RRType, dns::RRsetPtr>::const_iterator
+ FoundIterator;
};
/**
diff --git a/src/lib/datasrc/tests/database_unittest.cc b/src/lib/datasrc/tests/database_unittest.cc
index 69151ce..94ae022 100644
--- a/src/lib/datasrc/tests/database_unittest.cc
+++ b/src/lib/datasrc/tests/database_unittest.cc
@@ -156,6 +156,9 @@ const char* const TEST_RECORDS[][5] = {
// doesn't break anything
{"example.org.", "NS", "3600", "", "ns.example.com."},
{"example.org.", "A", "3600", "", "192.0.2.1"},
+ {"example.org.", "NSEC", "3600", "", "acnamesig1.example.org. NS A NSEC RRSIG"},
+ {"example.org.", "RRSIG", "3600", "", "NSEC 5 3 3600 20000101000000 "
+ "20000201000000 12345 example.org. FAKEFAKEFAKE"},
{"example.org.", "RRSIG", "3600", "", "NS 5 3 3600 20000101000000 "
"20000201000000 12345 example.org. FAKEFAKEFAKE"},
@@ -558,6 +561,8 @@ public:
} else if (id == 42) {
if (rname == "org.example.nonterminal.") {
return ("l.example.org.");
+ } else if (rname == "org.example.aa.") {
+ return ("example.org.");
} else if (rname == "org.example.www2." ||
rname == "org.example.www1.") {
return ("www.example.org.");
@@ -1673,6 +1678,15 @@ TYPED_TEST(DatabaseClientTest, NXDOMAIN_NSEC) {
this->rrttl_, ZoneFinder::NXDOMAIN,
this->expected_rdatas_, this->expected_sig_rdatas_,
Name("www.example.org."), ZoneFinder::FIND_DNSSEC);
+ this->expected_rdatas_.clear();
+ this->expected_rdatas_.push_back("acnamesig1.example.org. NS A NSEC RRSIG");
+ // This tests it works correctly in apex (there was a bug, where a check
+ // for NS-alone was there and it would throw).
+ doFindTest(*finder, isc::dns::Name("aa.example.org."),
+ isc::dns::RRType::TXT(), isc::dns::RRType::NSEC(),
+ this->rrttl_, ZoneFinder::NXDOMAIN,
+ this->expected_rdatas_, this->expected_sig_rdatas_,
+ Name("example.org."), ZoneFinder::FIND_DNSSEC);
// Check that if the DB doesn't support it, the exception from there
// is not propagated and it only does not include the NSEC
@@ -2339,6 +2353,13 @@ TYPED_TEST(DatabaseClientTest, previous) {
EXPECT_THROW(finder->findPreviousName(Name("bad.example.org")),
isc::NotImplemented);
+ } else {
+ // No need to test this on mock one, because we test only that
+ // the exception gets through
+
+ // A name before the origin
+ EXPECT_THROW(finder->findPreviousName(Name("example.com")),
+ isc::NotImplemented);
}
}
@@ -2354,9 +2375,19 @@ TYPED_TEST(DatabaseClientTest, invalidRdata) {
TEST_F(MockDatabaseClientTest, missingNSEC) {
shared_ptr<DatabaseClient::Finder> finder(this->getFinder());
+ /*
+ * FIXME: For now, we can't really distinguish this bogus input
+ * from not-signed zone so we can't throw. But once we can,
+ * enable the original test.
+ */
+#if 0
EXPECT_THROW(finder->find(Name("badnsec2.example.org."), RRType::A(), NULL,
ZoneFinder::FIND_DNSSEC),
DataSourceError);
+#endif
+ doFindTest(*finder, Name("badnsec2.example.org."), RRType::A(),
+ RRType::A(), this->rrttl_, ZoneFinder::NXDOMAIN,
+ this->expected_rdatas_, this->expected_sig_rdatas_);
}
TEST_F(MockDatabaseClientTest, badName) {
diff --git a/src/lib/datasrc/tests/sqlite3_accessor_unittest.cc b/src/lib/datasrc/tests/sqlite3_accessor_unittest.cc
index 87708c7..3974977 100644
--- a/src/lib/datasrc/tests/sqlite3_accessor_unittest.cc
+++ b/src/lib/datasrc/tests/sqlite3_accessor_unittest.cc
@@ -375,6 +375,11 @@ TEST_F(SQLite3AccessorTest, findPrevious) {
// be skipped.
EXPECT_EQ("example.com.",
accessor->findPreviousName(1, "com.example.cname-ext."));
+ // Throw when we are before the origin
+ EXPECT_THROW(accessor->findPreviousName(1, "com.example."),
+ isc::NotImplemented);
+ EXPECT_THROW(accessor->findPreviousName(1, "a.example."),
+ isc::NotImplemented);
}
TEST_F(SQLite3AccessorTest, findPreviousNoData) {
diff --git a/src/lib/datasrc/zone.h b/src/lib/datasrc/zone.h
index 89e4003..6b74b5a 100644
--- a/src/lib/datasrc/zone.h
+++ b/src/lib/datasrc/zone.h
@@ -62,6 +62,17 @@ public:
/// we need to add one proving there's no exact match and this is
/// actually the best wildcard we have). Data sources that don't
/// support DNSSEC don't need to distinguish them.
+ ///
+ /// In case of NXRRSET related results, the returned NSEC record
+ /// belongs to the domain which would provide the result if it
+ /// contained the correct type (in case of NXRRSET, it is the queried
+ /// domain, in case of WILDCARD_NXRRSET, it is the wildcard domain
+ /// that matched the query name). In case of empty nonterminal cases,
+ /// an NSEC is provided for the interval where the empty nonterminal
+ /// lives, which is the one ending in the subdomain of the empty
+ /// nonterminal.
+ ///
+ /// In case of NXDOMAIN, the returned NSEC covers the queried domain.
enum Result {
SUCCESS, ///< An exact match is found.
DELEGATION, ///< The search encounters a zone cut.
More information about the bind10-changes
mailing list