BIND 10 trac1584, updated. 7be2f0a4db2e3e20ee28429fddea1dea11592eb7 add RFC 5155 Section 7.2.6. the NSEC3 wildcard answer responses is added in this branch

BIND 10 source code commits bind10-changes at lists.isc.org
Tue Feb 14 12:03:07 UTC 2012 

The branch, trac1584 has been updated
       via  7be2f0a4db2e3e20ee28429fddea1dea11592eb7 (commit)
      from  4d266d80beb7e0d8b1f45a4a4bc7cc39a1657486 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 7be2f0a4db2e3e20ee28429fddea1dea11592eb7
Author: zhanghk <zhanghk at zhanghk.(none)>
Date:   Tue Feb 14 19:50:59 2012 +0800

    add RFC 5155  Section 7.2.6. the NSEC3 wildcard answer responses is added in this branch

-----------------------------------------------------------------------

Summary of changes:
 src/bin/auth/query.cc |   39 +++++++++++++++++++++++++++++++++++----
 src/bin/auth/query.h  |    3 ++-
 2 files changed, 37 insertions(+), 5 deletions(-)

-----------------------------------------------------------------------
diff --git a/src/bin/auth/query.cc b/src/bin/auth/query.cc
index f8f59c4..0b2d4c7 100644
--- a/src/bin/auth/query.cc
+++ b/src/bin/auth/query.cc
@@ -168,20 +168,51 @@ Query::addNXDOMAINProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
 }
 
 void
-Query::addWildcardProof(ZoneFinder& finder) {
+Query::addWildcardProof(ZoneFinder& finder,
+			const ZoneFinder::FindResult& db_result) 
+{
     // The query name shouldn't exist in the zone if there were no wildcard
     // substitution.  Confirm that by specifying NO_WILDCARD.  It should result
     // in NXDOMAIN and an NSEC RR that proves it should be returned.
+    if(db_result.isNSECSigned() && db_result.isWildcard()){
     const ZoneFinder::FindResult fresult =
         finder.find(qname_, RRType::NSEC(),
                     dnssec_opt_ | ZoneFinder::NO_WILDCARD);
     if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
         fresult.rrset->getRdataCount() == 0) {
-        isc_throw(BadNSEC, "Unexpected result for wildcard proof");
+        isc_throw(BadNSEC, "Unexpected NSEC result for wildcard proof");
     }
     response_.addRRset(Message::SECTION_AUTHORITY,
                        boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
                        dnssec_);
+    }else if(db_result.isNSEC3Signed() && db_result.isWildcard()){
+	// case for RFC5155 Section 7.2.6
+	const ZoneFinder::FindNSEC3Result NSEC3Result(finder.findNSEC3(qname_,
+                                                                  true));
+	/*
+	if (NSEC3Result.code != ZoneFinder::NXDOMAIN || !NSEC3Result.rrset ||
+            NSEC3Result.rrset->getRdataCount() == 0) {
+        	isc_throw(BadNSEC3, "Unexpected NSEC3 result for wildcard proof");
+    	}
+	*/
+	response_.addRRset(Message::SECTION_AUTHORITY,
+                           boost::const_pointer_cast<AbstractRRset>(
+                               NSEC3Result.next_proof), dnssec_);
+	const Name wname = Name("*").concatenate(
+            qname_.split(qname_.getLabelCount() - NSEC3Result.closest_labels));
+        const ZoneFinder::FindNSEC3Result wresult(finder.findNSEC3(wname,
+                                                                   false));
+        if (wresult.matched) {
+            response_.addRRset(Message::SECTION_AUTHORITY,
+                               boost::const_pointer_cast<AbstractRRset>(
+                                   wresult.closest_proof), dnssec_);
+        } else {
+            isc_throw(BadNSEC3, "No matching NSEC3 found for existing domain "
+                      << wname);
+         }
+		
+    }
+    
 }
 
 void
@@ -386,7 +417,7 @@ Query::process() {
             // If the answer is a result of wildcard substitution,
             // add a proof that there's no closer name.
             if (dnssec_ && db_result.isWildcard()) {
-                addWildcardProof(*result.zone_finder);
+                addWildcardProof(*result.zone_finder,db_result);
             }
             break;
         case ZoneFinder::SUCCESS:
@@ -420,7 +451,7 @@ Query::process() {
             // If the answer is a result of wildcard substitution,
             // add a proof that there's no closer name.
             if (dnssec_ && db_result.isWildcard()) {
-                addWildcardProof(*result.zone_finder);
+                addWildcardProof(*result.zone_finder,db_result);
             }
             break;
         case ZoneFinder::DELEGATION:
diff --git a/src/bin/auth/query.h b/src/bin/auth/query.h
index 4cc4c5d..dfd93f0 100644
--- a/src/bin/auth/query.h
+++ b/src/bin/auth/query.h
@@ -106,7 +106,8 @@ private:
     /// Add NSEC RRs that prove a wildcard answer is the best one.
     ///
     /// This corresponds to Section 3.1.3.3 of RFC 4035.
-    void addWildcardProof(isc::datasrc::ZoneFinder& finder);
+    void addWildcardProof(isc::datasrc::ZoneFinder& finder,
+			const isc::datasrc::ZoneFinder::FindResult& dbResult);
 
     /// \brief Adds one NSEC RR proved no matched QNAME,one NSEC RR proved no
     /// matched <QNAME,QTYPE> through wildcard extension.

More information about the bind10-changes mailing list