BIND 10 master, updated. 5b2b5a2c16102329bdbc7d1421758dcd206fa45f Merge branch 'master' into trac1580
BIND 10 source code commits
bind10-changes at lists.isc.org
Fri Feb 17 11:25:21 UTC 2012
The branch, master has been updated
via 5b2b5a2c16102329bdbc7d1421758dcd206fa45f (commit)
via 2217a6591fef2fbd4026d6c2c2384a026044fc0c (commit)
via 7de090b9c37f4f68a4242127af8bb4da9eca9eb8 (commit)
via e7b760a474b50989ba32c3766580508a3283148d (commit)
via 7f74352cccef3e5b8ed292930746e8b8c723f7af (commit)
via ecb4b75c7b226482e5f2592d14f8534f6f9e03a4 (commit)
via 8d191a6771288e0cf71d48e93091f355719a3089 (commit)
via e50e1bf6c169c72fb084deb42e739b7c9ebfb94e (commit)
via be83d3bfd516ff84824a44ff8d2e0ad68bc0c613 (commit)
via 48aa1e839cf475521de07bdc0d8c870bb29f335e (commit)
via 5af17f43de48dd58fe87b85d974a554ac0136b83 (commit)
via eb872b35100ce2b602064017cd2de8ab517ffb76 (commit)
via 11401abc34828a747f7dd716a1645b143efaf2f8 (commit)
via 263d38ef6a1fe8bce1a229acc1cc14144d180c0a (commit)
from af00b01970fa7d8da6d40d8621f4a1a58dcdf297 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 5b2b5a2c16102329bdbc7d1421758dcd206fa45f
Merge: 2217a6591fef2fbd4026d6c2c2384a026044fc0c af00b01970fa7d8da6d40d8621f4a1a58dcdf297
Author: Xie Jiagui <xiejiagui at cnnic.cn>
Date: Fri Feb 17 19:24:16 2012 +0800
Merge branch 'master' into trac1580
commit 2217a6591fef2fbd4026d6c2c2384a026044fc0c
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Thu Feb 16 00:19:11 2012 -0800
[1580] a suggested cleanup: rename addNSCOMAINProof to addNSCOMAINProofByNSEC
so it's clearer that it's NSEC specific (now that we have an NSEC3 version
of addNXDOMAINProof). For consistency rename the NSEC3 version to
addNSCOMAINProofByNSEC3. also a bit reorganized the code calling these methods
(mostly a matter of taste though), and adjusted tests to make them pass.
commit 7de090b9c37f4f68a4242127af8bb4da9eca9eb8
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Wed Feb 15 23:47:54 2012 -0800
[1580] handled one missing case: run time collision due to having matching
NSEC3 for the wildcard.
commit e7b760a474b50989ba32c3766580508a3283148d
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Wed Feb 15 23:38:54 2012 -0800
[1580] updated addNSEC3NXDOMAINProof() so we don't check duplicate NSEC3 for
now, as we discussed in #1583. Adjusted the nxdomainWithNSEC3Proof test
accordingly.
commit 7f74352cccef3e5b8ed292930746e8b8c723f7af
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Wed Feb 15 23:20:36 2012 -0800
[1580] simplified the cases with unexpected NULL results of findNSEC3().
adjusted the expected exception for nxdomainWithBadNextNSEC3Proof accordingly.
commit ecb4b75c7b226482e5f2592d14f8534f6f9e03a4
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Wed Feb 15 23:07:45 2012 -0800
[1580] corrected the comment about how to construct the corresponding
wildcard name (the previous one was seemingly copied from the NSEC
counterpart, which is not applicable here).
commit 8d191a6771288e0cf71d48e93091f355719a3089
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Wed Feb 15 23:00:37 2012 -0800
[1580] removed incorrect/redundant comments. the first line is simply
incorrect. the rest of them seem to be covered by the in-function comments.
commit e50e1bf6c169c72fb084deb42e739b7c9ebfb94e
Merge: be83d3bfd516ff84824a44ff8d2e0ad68bc0c613 c8739afa54bafeffac2cad157020242b8acb3b28
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Wed Feb 15 22:50:36 2012 -0800
[1580] Merge branch 'master' into trac1580 to reduce conflicts with results
of other NSEC3 tickets.
commit be83d3bfd516ff84824a44ff8d2e0ad68bc0c613
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Wed Feb 15 22:30:58 2012 -0800
[1580] removed white space at EOL and in blank line.
commit 48aa1e839cf475521de07bdc0d8c870bb29f335e
Author: Xie Jiagui <xiejiagui at cnnic.cn>
Date: Thu Feb 16 11:48:46 2012 +0800
[1580] Add Bad NSEC3 next_proof test.
commit 5af17f43de48dd58fe87b85d974a554ac0136b83
Author: Xie Jiagui <xiejiagui at cnnic.cn>
Date: Thu Feb 16 10:05:46 2012 +0800
[1580] Add new comments to NSEC3 proves for NXDOMAIN,and fix the
construction of wildcard domain name.
commit eb872b35100ce2b602064017cd2de8ab517ffb76
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Mon Feb 13 19:09:39 2012 -0800
[1580] trivial editorial cleanups: removed white spaces at EOL, folded long lines
commit 11401abc34828a747f7dd716a1645b143efaf2f8
Author: Xie Jiagui <xiejiagui at cnnic.cn>
Date: Tue Feb 14 10:19:42 2012 +0800
[1580] Add NSEC3 process for NXDOMAIN.
commit 263d38ef6a1fe8bce1a229acc1cc14144d180c0a
Author: Xie Jiagui <xiejiagui at cnnic.cn>
Date: Fri Feb 10 21:19:00 2012 +0800
[1580] Update NXDOMAIN case to support NSEC3.
-----------------------------------------------------------------------
Summary of changes:
src/bin/auth/query.cc | 44 ++++++++++++++++-
src/bin/auth/query.h | 9 +++-
src/bin/auth/tests/query_unittest.cc | 85 +++++++++++++++++++++++++++++----
3 files changed, 122 insertions(+), 16 deletions(-)
-----------------------------------------------------------------------
diff --git a/src/bin/auth/query.cc b/src/bin/auth/query.cc
index 54361d1..b0c3b76 100644
--- a/src/bin/auth/query.cc
+++ b/src/bin/auth/query.cc
@@ -117,7 +117,7 @@ Query::addSOA(ZoneFinder& finder) {
// either an SERVFAIL response or just ignoring the query. We at least prevent
// a complete crash due to such broken behavior.
void
-Query::addNXDOMAINProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
+Query::addNXDOMAINProofByNSEC(ZoneFinder& finder, ConstRRsetPtr nsec) {
if (nsec->getRdataCount() == 0) {
isc_throw(BadNSEC, "NSEC for NXDOMAIN is empty");
}
@@ -168,6 +168,40 @@ Query::addNXDOMAINProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
}
void
+Query::addNXDOMAINProofByNSEC3(ZoneFinder& finder) {
+ // Firstly get the NSEC3 proves for Closest Encloser Proof
+ // See section 7.2.1 of RFC 5155.
+ // Since this is a Name Error case both closest and next proofs should
+ // be available (see addNXRRsetProof).
+ const ZoneFinder::FindNSEC3Result fresult1 = finder.findNSEC3(qname_,
+ true);
+ response_.addRRset(Message::SECTION_AUTHORITY,
+ boost::const_pointer_cast<AbstractRRset>(
+ fresult1.closest_proof),
+ dnssec_);
+ response_.addRRset(Message::SECTION_AUTHORITY,
+ boost::const_pointer_cast<AbstractRRset>(
+ fresult1.next_proof),
+ dnssec_);
+
+ // Next, construct the wildcard name at the closest encloser, i.e.,
+ // '*' followed by the closest encloser, and add NSEC3 for it.
+ const Name wildname(Name("*").concatenate(
+ qname_.split(qname_.getLabelCount() -
+ fresult1.closest_labels)));
+ const ZoneFinder::FindNSEC3Result fresult2 =
+ finder.findNSEC3(wildname, false);
+ if (fresult2.matched) {
+ isc_throw(BadNSEC3, "Matching NSEC3 found for nonexistent domain "
+ << wildname);
+ }
+ response_.addRRset(Message::SECTION_AUTHORITY,
+ boost::const_pointer_cast<AbstractRRset>(
+ fresult2.closest_proof),
+ dnssec_);
+}
+
+void
Query::addWildcardProof(ZoneFinder& finder) {
// The query name shouldn't exist in the zone if there were no wildcard
// substitution. Confirm that by specifying NO_WILDCARD. It should result
@@ -508,8 +542,12 @@ Query::process() {
case ZoneFinder::NXDOMAIN:
response_.setRcode(Rcode::NXDOMAIN());
addSOA(*result.zone_finder);
- if (dnssec_ && db_result.rrset) {
- addNXDOMAINProof(zfinder, db_result.rrset);
+ if (dnssec_) {
+ if (db_result.isNSECSigned() && db_result.rrset) {
+ addNXDOMAINProofByNSEC(zfinder, db_result.rrset);
+ } else if (db_result.isNSEC3Signed()) {
+ addNXDOMAINProofByNSEC3(zfinder);
+ }
}
break;
case ZoneFinder::NXRRSET:
diff --git a/src/bin/auth/query.h b/src/bin/auth/query.h
index b2be076..210ff69 100644
--- a/src/bin/auth/query.h
+++ b/src/bin/auth/query.h
@@ -101,8 +101,13 @@ private:
/// Add NSEC RRs that prove an NXDOMAIN result.
///
/// This corresponds to Section 3.1.3.2 of RFC 4035.
- void addNXDOMAINProof(isc::datasrc::ZoneFinder& finder,
- isc::dns::ConstRRsetPtr nsec);
+ void addNXDOMAINProofByNSEC(isc::datasrc::ZoneFinder& finder,
+ isc::dns::ConstRRsetPtr nsec);
+
+ /// Add NSEC3 RRs that prove an NXDOMAIN result.
+ ///
+ /// This corresponds to Section 7.2.2 of RFC 5155.
+ void addNXDOMAINProofByNSEC3(isc::datasrc::ZoneFinder& finder);
/// Add NSEC RRs that prove a wildcard answer is the best one.
///
diff --git a/src/bin/auth/tests/query_unittest.cc b/src/bin/auth/tests/query_unittest.cc
index c5d8a79..dd2f78a 100644
--- a/src/bin/auth/tests/query_unittest.cc
+++ b/src/bin/auth/tests/query_unittest.cc
@@ -329,6 +329,8 @@ public:
"q00jkcevqvmu85r014c7dkba38o0ji5r";
hash_map_[Name("nxdomain3.example.com")] =
"009mhaveqvm6t7vbl5lop2u3t2rp3tom";
+ hash_map_[Name("*.example.com")] =
+ "r53bq7cc2uvmubfu5ocmm6pers9tk9en";
hash_map_[Name("unsigned-delegation.example.com")] =
"q81r598950igr1eqvc60aedlq66425b5"; // a bit larger than H(www)
hash_map_[Name("*.uwild.example.com")] =
@@ -371,7 +373,8 @@ public:
ConstRRsetPtr rrset)
{
nsec_name_ = nsec_name;
- nsec_result_.reset(new ZoneFinder::FindResult(code, rrset));
+ nsec_result_.reset(new ZoneFinder::FindResult(code, rrset,
+ RESULT_NSEC_SIGNED));
}
// Once called, the findNSEC3 will return the provided result for the next
@@ -2146,19 +2149,79 @@ TEST_F(QueryTest, nxrrsetWithNSEC3_ds_no_exact) {
NULL, mock_finder->getOrigin());
}
-// The following are tentative tests until we really add tests for the
-// query logic for these cases. At that point it's probably better to
-// clean them up.
-TEST_F(QueryTest, nxdomainWithNSEC3) {
+TEST_F(QueryTest, nxdomainWithNSEC3Proof) {
+ // Name Error (NXDOMAIN) case with NSEC3 proof per RFC5155 Section 7.2.2.
+
+ // Enable NSEC3
mock_finder->setNSEC3Flag(true);
- ZoneFinder::FindResult result = mock_finder->find(
- Name("nxdomain.example.com"), RRType::A(), ZoneFinder::FIND_DNSSEC);
- EXPECT_EQ(ZoneFinder::NXDOMAIN, result.code);
- EXPECT_FALSE(result.rrset);
- EXPECT_TRUE(result.isNSEC3Signed());
- EXPECT_FALSE(result.isWildcard());
+ // This will be the covering NSEC3 for the next closer
+ mock_finder->addRecord(nsec3_uwild_txt);
+ // This will be the covering NSEC3 for the possible wildcard
+ mock_finder->addRecord(unsigned_delegation_nsec3_txt);
+
+ Query(memory_client, Name("nxdomain.example.com"), qtype,
+ response, true).process();
+ responseCheck(response, Rcode::NXDOMAIN(), AA_FLAG, 0, 8, 0, NULL,
+ // SOA + its RRSIG
+ (string(soa_txt) +
+ string("example.com. 3600 IN RRSIG ") +
+ getCommonRRSIGText("SOA") + "\n" +
+ // NSEC3 for the closest encloser + its RRSIG
+ string(nsec3_apex_txt) + "\n" +
+ mock_finder->hash_map_[mock_finder->getOrigin()] +
+ string(".example.com. 3600 IN RRSIG ") +
+ getCommonRRSIGText("NSEC3") + "\n" +
+ // NSEC3 for the next closer + its RRSIG
+ string(nsec3_uwild_txt) + "\n" +
+ mock_finder->hash_map_[Name("uwild.example.com")] +
+ ".example.com. 3600 IN RRSIG " +
+ getCommonRRSIGText("NSEC3") + "\n" +
+ // NSEC3 for the wildcard + its RRSIG
+ string(unsigned_delegation_nsec3_txt) +
+ mock_finder->hash_map_[
+ Name("unsigned-delegation.example.com")] +
+ ".example.com. 3600 IN RRSIG " +
+ getCommonRRSIGText("NSEC3")).c_str(),
+ NULL, mock_finder->getOrigin());
+}
+
+TEST_F(QueryTest, nxdomainWithBadNextNSEC3Proof) {
+ // Similar to the previous case, but emulating run time collision by
+ // returning NULL in the next closer proof for the closest encloser
+ // proof.
+ mock_finder->setNSEC3Flag(true);
+ ZoneFinder::FindNSEC3Result nsec3(true, 0, textToRRset(nsec3_apex_txt),
+ ConstRRsetPtr());
+ mock_finder->setNSEC3Result(&nsec3);
+
+ // Message::addRRset() will detect it and throw InvalidParameter.
+ EXPECT_THROW(Query(memory_client, Name("nxdomain.example.com"),
+ RRType::TXT(), response, true).process(),
+ isc::InvalidParameter);
+}
+
+TEST_F(QueryTest, nxdomainWithBadWildcardNSEC3Proof) {
+ // Similar to nxdomainWithNSEC3Proof, but let findNSEC3() return a matching
+ // NSEC3 for the possible wildcard name, emulating run-time collision.
+ // This should result in BadNSEC3 exception.
+
+ mock_finder->setNSEC3Flag(true);
+ mock_finder->addRecord(nsec3_uwild_txt);
+ mock_finder->addRecord(unsigned_delegation_nsec3_txt);
+
+ const Name wname("*.example.com");
+ ZoneFinder::FindNSEC3Result nsec3(true, 0, textToRRset(nsec3_apex_txt),
+ ConstRRsetPtr());
+ mock_finder->setNSEC3Result(&nsec3, &wname);
+
+ EXPECT_THROW(Query(memory_client, Name("nxdomain.example.com"), qtype,
+ response, true).process(),
+ Query::BadNSEC3);
}
+// The following are tentative tests until we really add tests for the
+// query logic for these cases. At that point it's probably better to
+// clean them up.
TEST_F(QueryTest, emptyNameWithNSEC3) {
mock_finder->setNSEC3Flag(true);
ZoneFinder::FindResult result = mock_finder->find(
More information about the bind10-changes
mailing list