BIND 10 master, updated. 78bb8f4b9676d6345f3fdd1e5cc89039806a9aba [master] Merge branch 'trac1836'

BIND 10 source code commits bind10-changes at lists.isc.org
Tue Mar 27 20:40:43 UTC 2012 

The branch, master has been updated
       via  78bb8f4b9676d6345f3fdd1e5cc89039806a9aba (commit)
       via  4e80da3959ae51851ce68294bd59fed429977f4d (commit)
       via  d01a04e0f57552e78fe19beb99789888fecab7f4 (commit)
       via  deafd46a146bf83ea3af9076c9ec808cfd1c168b (commit)
      from  a8486dda670bf22c27c7cb2ee95b84cc53c1fc08 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 78bb8f4b9676d6345f3fdd1e5cc89039806a9aba
Merge: a8486dd 4e80da3
Author: JINMEI Tatuya <jinmei at isc.org>
Date:   Tue Mar 27 13:35:43 2012 -0700

    [master] Merge branch 'trac1836'

-----------------------------------------------------------------------

Summary of changes:
 src/bin/auth/query.cc                  |    6 ++++--
 src/bin/auth/tests/query_unittest.cc   |   22 +++++++++++++++++++---
 tests/lettuce/features/queries.feature |   16 ++++++++++++++++
 3 files changed, 39 insertions(+), 5 deletions(-)

-----------------------------------------------------------------------
diff --git a/src/bin/auth/query.cc b/src/bin/auth/query.cc
index 793a64f..f215c04 100644
--- a/src/bin/auth/query.cc
+++ b/src/bin/auth/query.cc
@@ -278,8 +278,10 @@ Query::addDS(ZoneFinder& finder, const Name& dname) {
                ds_context->isNSEC3Signed()) {
         // Add no DS proof with NSEC3 as specified in RFC 5155 Section 7.2.7.
         addClosestEncloserProof(finder, dname, true);
-    } else {
-        // Any other case should be an error
+    } else if (ds_context->code != ZoneFinder::NXRRSET) {
+        // We know this domain should exist, so the result must be NXRRSET.
+        // If not, the zone is broken, so we'll return SERVFAIL by triggering
+        // an exception.
         isc_throw(BadDS, "Unexpected result for DS lookup for delegation");
     }
 }
diff --git a/src/bin/auth/tests/query_unittest.cc b/src/bin/auth/tests/query_unittest.cc
index fea9cd0..63429ae 100644
--- a/src/bin/auth/tests/query_unittest.cc
+++ b/src/bin/auth/tests/query_unittest.cc
@@ -239,6 +239,10 @@ const char* const unsigned_delegation_optout_nsec_txt =
 const char* const bad_delegation_txt =
     "bad-delegation.example.com. 3600 IN NS ns.example.net.\n";
 
+// Delegation from an unsigned parent.  There's no DS, and there's no NSEC
+// or NSEC3 that proves it.
+const char* const nosec_delegation_txt =
+    "nosec-delegation.example.com. 3600 IN NS ns.nosec.example.net.\n";
 
 // A helper function that generates a textual representation of RRSIG RDATA
 // for the given covered type.  The resulting RRSIG may not necessarily make
@@ -314,7 +318,7 @@ public:
             unsigned_delegation_txt << unsigned_delegation_nsec_txt <<
             unsigned_delegation_optout_txt <<
             unsigned_delegation_optout_nsec_txt <<
-            bad_delegation_txt;
+            bad_delegation_txt << nosec_delegation_txt;
 
         masterLoad(zone_stream, origin_, rrclass_,
                    boost::bind(&MockZoneFinder::loadRRset, this, _1));
@@ -715,8 +719,9 @@ MockZoneFinder::find(const Name& name, const RRType& type,
                                       RESULT_NSEC_SIGNED));
             }
         }
-        return (createContext(options, NXRRSET, RRsetPtr(),
-                              RESULT_NSEC_SIGNED));
+        // If no NSEC is found or DNSSEC isn't specified, behave as if the
+        // zone is unsigned.
+        return (createContext(options, NXRRSET, RRsetPtr()));
     }
 
     // query name isn't found in our domains.
@@ -1097,6 +1102,17 @@ TEST_F(QueryTest, delegation) {
                   NULL, delegation_txt, ns_addrs_txt);
 }
 
+TEST_F(QueryTest, delegationWithDNSSEC) {
+    // Similar to the previous one, but with requesting DNSSEC.
+    // In this case the parent zone would behave as unsigned, so the result
+    // should be just like non DNSSEC delegation.
+    query.process(memory_client, Name("www.nosec-delegation.example.com"),
+                  qtype, response, true);
+
+    responseCheck(response, Rcode::NOERROR(), 0, 0, 1, 0,
+                  NULL, nosec_delegation_txt, NULL);
+}
+
 TEST_F(QueryTest, secureDelegation) {
     EXPECT_NO_THROW(query.process(memory_client,
                                   Name("foo.signed-delegation.example.com"),
diff --git a/tests/lettuce/features/queries.feature b/tests/lettuce/features/queries.feature
index b8f9b3d..24c18f0 100644
--- a/tests/lettuce/features/queries.feature
+++ b/tests/lettuce/features/queries.feature
@@ -79,3 +79,19 @@ Feature: Querying feature
         ns2.example.org.	3600	IN	A	192.0.2.4
         mail.example.org.	3600	IN	A	192.0.2.10
         """
+    Scenario: Delegation query for unsigned child zone
+        Given I have bind10 running with configuration example.org.inmem.config
+        A dnssec query for www.sub.example.org type AAAA should have rcode NOERROR
+        The last query response should have flags qr rd
+        The last query response should have edns_flags do
+        The last query response should have ancount 0
+        The last query response should have nscount 1
+        The last query response should have adcount 2
+        The authority section of the last query response should be
+        """
+        sub.example.org.	3600	IN	NS	ns.sub.example.org.
+        """
+        The additional section of the last query response should be
+        """
+        ns.sub.example.org.	3600	IN	A	192.0.2.101
+        """

More information about the bind10-changes mailing list