BIND 10 trac1584, updated. 77ceb4384e75a1e613b1fbf8766745dbd95221a9 construct name as next closer+closest encloser, and then invoke findNSEC3 to confirm its non-exist

Wed Feb 15 13:44:09 UTC 2012

The branch, trac1584 has been updated
       via  77ceb4384e75a1e613b1fbf8766745dbd95221a9 (commit)
      from  7be2f0a4db2e3e20ee28429fddea1dea11592eb7 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 77ceb4384e75a1e613b1fbf8766745dbd95221a9
Author: zhanghk <zhanghk at zhanghk.(none)>
Date:   Wed Feb 15 21:42:16 2012 +0800

    construct name as next closer+closest encloser, and then invoke findNSEC3 to confirm its non-exist

-----------------------------------------------------------------------

Summary of changes:
 src/bin/auth/query.cc |   79 ++++++++++++++++++++++--------------------------
 1 files changed, 36 insertions(+), 43 deletions(-)

-----------------------------------------------------------------------

diff --git a/src/bin/auth/query.cc b/src/bin/auth/query.cc
index 0b2d4c7..0f68cf7 100644
--- a/src/bin/auth/query.cc
+++ b/src/bin/auth/query.cc
@@ -169,50 +169,43 @@ Query::addNXDOMAINProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
 
 void
 Query::addWildcardProof(ZoneFinder& finder,
-			const ZoneFinder::FindResult& db_result) 
+		const ZoneFinder::FindResult& db_result) 
 {
-    // The query name shouldn't exist in the zone if there were no wildcard
-    // substitution.  Confirm that by specifying NO_WILDCARD.  It should result
-    // in NXDOMAIN and an NSEC RR that proves it should be returned.
-    if(db_result.isNSECSigned() && db_result.isWildcard()){
-    const ZoneFinder::FindResult fresult =
-        finder.find(qname_, RRType::NSEC(),
-                    dnssec_opt_ | ZoneFinder::NO_WILDCARD);
-    if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
-        fresult.rrset->getRdataCount() == 0) {
-        isc_throw(BadNSEC, "Unexpected NSEC result for wildcard proof");
-    }
-    response_.addRRset(Message::SECTION_AUTHORITY,
-                       boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
-                       dnssec_);
-    }else if(db_result.isNSEC3Signed() && db_result.isWildcard()){
-	// case for RFC5155 Section 7.2.6
-	const ZoneFinder::FindNSEC3Result NSEC3Result(finder.findNSEC3(qname_,
-                                                                  true));
-	/*
-	if (NSEC3Result.code != ZoneFinder::NXDOMAIN || !NSEC3Result.rrset ||
-            NSEC3Result.rrset->getRdataCount() == 0) {
-        	isc_throw(BadNSEC3, "Unexpected NSEC3 result for wildcard proof");
-    	}
-	*/
-	response_.addRRset(Message::SECTION_AUTHORITY,
-                           boost::const_pointer_cast<AbstractRRset>(
-                               NSEC3Result.next_proof), dnssec_);
-	const Name wname = Name("*").concatenate(
-            qname_.split(qname_.getLabelCount() - NSEC3Result.closest_labels));
-        const ZoneFinder::FindNSEC3Result wresult(finder.findNSEC3(wname,
-                                                                   false));
-        if (wresult.matched) {
-            response_.addRRset(Message::SECTION_AUTHORITY,
-                               boost::const_pointer_cast<AbstractRRset>(
-                                   wresult.closest_proof), dnssec_);
-        } else {
-            isc_throw(BadNSEC3, "No matching NSEC3 found for existing domain "
-                      << wname);
-         }
-		
-    }
-    
+	// The query name shouldn't exist in the zone if there were no wildcard
+	// substitution.  Confirm that by specifying NO_WILDCARD.  It should result
+	// in NXDOMAIN and an NSEC RR that proves it should be returned.
+	if(db_result.isNSECSigned() && db_result.isWildcard()){
+		const ZoneFinder::FindResult fresult =
+			finder.find(qname_, RRType::NSEC(),
+					dnssec_opt_ | ZoneFinder::NO_WILDCARD);
+		if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
+				fresult.rrset->getRdataCount() == 0) {
+			isc_throw(BadNSEC, "Unexpected NSEC result for wildcard proof");
+		}
+		response_.addRRset(Message::SECTION_AUTHORITY,
+				boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
+				dnssec_);
+	}else if(db_result.isNSEC3Signed() && db_result.isWildcard()){
+		// case for RFC5155 Section 7.2.6
+		const ZoneFinder::FindNSEC3Result NSEC3Result(finder.findNSEC3(qname_,
+					true));
+		if (NULL == NSEC3Result.next_proof){ 
+			isc_throw(BadNSEC3, "Unexpected NSEC3 result for wildcard proof");
+		}
+		response_.addRRset(Message::SECTION_AUTHORITY,
+				boost::const_pointer_cast<AbstractRRset>(
+					NSEC3Result.next_proof), dnssec_);
+		const Name wname = 
+			qname_.split(qname_.getLabelCount() - NSEC3Result.closest_labels - 1);
+		const ZoneFinder::FindNSEC3Result wresult(finder.findNSEC3(wname,
+					false));
+		if (wresult.matched) {
+			isc_throw(BadNSEC3, "Unexpected NSEC3 found for existing domain "
+					<< wname);
+		}
+
+	}
+
 }
 
 void


