BIND 10 trac1579, updated. 94793e41d922cb10e35e0ff146b19c38ace415b1 [1579] If nsec and nsec3 coexist in zone, find function and findAll function will throw error. find and findAll function will set RESULT_NSEC3_SIGNED if the zone is signed with NSEC3.
BIND 10 source code commits
bind10-changes at lists.isc.org
Fri Mar 30 11:56:36 UTC 2012
The branch, trac1579 has been updated
via 94793e41d922cb10e35e0ff146b19c38ace415b1 (commit)
from dfd2aeefef39f064183c84c23451637247e32399 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 94793e41d922cb10e35e0ff146b19c38ace415b1
Author: haikuo zhang <zhanghaikuo at cnnic.cn>
Date: Fri Mar 30 19:52:51 2012 +0800
[1579] If nsec and nsec3 coexist in zone, find function and findAll
function will throw error. find and findAll function will set
RESULT_NSEC3_SIGNED if the zone is signed with NSEC3.
-----------------------------------------------------------------------
Summary of changes:
src/lib/datasrc/database.cc | 157 +++++++++++---------
src/lib/datasrc/database.h | 30 +++-
src/lib/datasrc/tests/database_unittest.cc | 123 ++++++++++-----
.../datasrc/tests/zone_finder_context_unittest.cc | 1 -
4 files changed, 193 insertions(+), 118 deletions(-)
-----------------------------------------------------------------------
diff --git a/src/lib/datasrc/database.cc b/src/lib/datasrc/database.cc
index c2bc47a..c85047a 100644
--- a/src/lib/datasrc/database.cc
+++ b/src/lib/datasrc/database.cc
@@ -286,13 +286,11 @@ DatabaseClient::Finder::getRRsets(const string& name, const WantedTypes& types,
i != result.end(); ++ i) {
sig_store.appendSignatures(i->second);
}
-
if (records_found && any) {
result[RRType::ANY()] = RRsetPtr();
// These will be sitting on the other RRsets.
result.erase(RRType::RRSIG());
}
-
return (FoundRRsets(records_found, result));
}
@@ -367,6 +365,19 @@ FINAL_TYPES() {
return (result);
}
+const WantedTypes&
+FINAL_TYPES_NO_NSEC() {
+ static bool initialized(false);
+ static WantedTypes result;
+
+ if (!initialized) {
+ result.insert(RRType::CNAME());
+ result.insert(RRType::NS());
+ initialized = true;
+ }
+ return (result);
+}
+
}
ConstRRsetPtr
@@ -412,10 +423,16 @@ DatabaseClient::Finder::findAll(const isc::dns::Name& name,
std::vector<isc::dns::ConstRRsetPtr>& target,
const FindOptions options)
{
+ const bool need_nsec3 = (((options & FIND_DNSSEC) != 0) && isNSEC3());
+ if ((need_nsec3 == true) && (isNSEC() == true)){
+ isc_throw(DataSourceError, "nsec and nsec3 coexist");
+ }
+ // If the zone is signed with NSEC3, need to add RESULT_NSEC3_SIGNED to the flags
+ // in FindContext when NXRRSET NXDOMAIN or WILDCARD in the DNSSEC query, no need
+ // NSEC RRset at the same time.
return (ZoneFinderContextPtr(new Context(*this, options,
- findInternal(name, RRType::ANY(),
- &target, options),
- target)));
+ findInternal(name, RRType::ANY(), &target,
+ options, need_nsec3),target)));
}
ZoneFinderContextPtr
@@ -426,9 +443,16 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
if (type == RRType::ANY()) {
isc_throw(isc::Unexpected, "Use findAll to answer ANY");
}
+ // If the zone is signed with NSEC3, need to add RESULT_NSEC3_SIGNED to the flags
+ // in FindContext when NXRRSET NXDOMAIN or WILDCARD in the DNSSEC query, no need
+ // NSEC RRset at the same time.
+ const bool need_nsec3 = (((options & FIND_DNSSEC) != 0) && isNSEC3());
+ if ((need_nsec3 == true) && (isNSEC() == true)){
+ isc_throw(DataSourceError, "nsec and nsec3 coexist");
+ }
return (ZoneFinderContextPtr(new Context(*this, options,
findInternal(name, type,
- NULL, options))));
+ NULL, options,need_nsec3))));
}
DatabaseClient::Finder::DelegationSearchResult
@@ -593,12 +617,12 @@ ZoneFinder::ResultContext
DatabaseClient::Finder::findWildcardMatch(
const isc::dns::Name& name, const isc::dns::RRType& type,
const FindOptions options, const DelegationSearchResult& dresult,
- std::vector<isc::dns::ConstRRsetPtr>* target)
+ std::vector<isc::dns::ConstRRsetPtr>* target, const bool need_nsec3)
{
// Note that during the search we are going to search not only for the
// requested type, but also for types that indicate a delegation -
// NS and DNAME.
- WantedTypes final_types(FINAL_TYPES());
+ WantedTypes final_types(need_nsec3 ? FINAL_TYPES_NO_NSEC() : FINAL_TYPES());
final_types.insert(type);
const size_t remove_labels = name.getLabelCount() - dresult.last_known;
@@ -632,12 +656,12 @@ DatabaseClient::Finder::findWildcardMatch(
DATASRC_DATABASE_WILDCARD_CANCEL_NS).
arg(accessor_->getDBName()).arg(wildcard).
arg(dresult.first_ns->getName());
- return (ResultContext(DELEGATION, dresult.first_ns));
+ return (ResultContext(DELEGATION, dresult.first_ns));
} else if (!hasSubdomains(name.split(i - 1).toText())) {
// The wildcard match is the best one, find the final result
// at it. Note that wildcard should never be the zone origin.
return (findOnNameResult(name, type, options, false,
- found, &wildcard, target));
+ found, &wildcard, target, need_nsec3));
} else {
// more specified match found, cancel wildcard match
@@ -653,7 +677,7 @@ DatabaseClient::Finder::findWildcardMatch(
LOG_DEBUG(logger, DBG_TRACE_DETAILED,
DATASRC_DATABASE_WILDCARD_EMPTY).
arg(accessor_->getDBName()).arg(wildcard).arg(name);
- if ((options & FIND_DNSSEC) != 0) {
+ if (((options & FIND_DNSSEC) != 0) && (need_nsec3 == false)) {
ConstRRsetPtr nsec = findNSECCover(Name(wildcard));
if (nsec) {
return (ResultContext(NXRRSET, nsec,
@@ -661,7 +685,8 @@ DatabaseClient::Finder::findWildcardMatch(
RESULT_NSEC_SIGNED));
}
}
- return (ResultContext(NXRRSET, ConstRRsetPtr(), RESULT_WILDCARD));
+ return (ResultContext(NXRRSET, ConstRRsetPtr(), need_nsec3 ?
+ (RESULT_WILDCARD | RESULT_NSEC3_SIGNED) : RESULT_WILDCARD));
}
}
@@ -707,11 +732,16 @@ DatabaseClient::Finder::findOnNameResult(const Name& name,
const FoundRRsets& found,
const string* wildname,
std::vector<isc::dns::ConstRRsetPtr>*
- target)
+ target, const bool need_nsec3)
{
const bool wild = (wildname != NULL);
- FindResultFlags flags = wild ? RESULT_WILDCARD : RESULT_DEFAULT;
-
+ FindResultFlags flags;
+ if (need_nsec3) {
+ flags = wild ? (RESULT_WILDCARD | RESULT_NSEC3_SIGNED) :
+ RESULT_DEFAULT;
+ } else {
+ flags = wild ? RESULT_WILDCARD : RESULT_DEFAULT;
+ }
// Get iterators for the different types of records we are interested in -
// CNAME, NS and Wanted types.
const FoundIterator nsi(found.second.find(RRType::NS()));
@@ -723,7 +753,7 @@ DatabaseClient::Finder::findOnNameResult(const Name& name,
// TODO: this part should be revised when we support NSEC3; ideally we
// should use more effective and efficient way to identify (whether and)
// in which way the zone is signed.
- if (wild && (options & FIND_DNSSEC) != 0 &&
+ if (wild && (options & FIND_DNSSEC) != 0 && (need_nsec3 == false) &&
found.second.find(RRType::NSEC()) != found.second.end()) {
flags = flags | RESULT_NSEC_SIGNED;
}
@@ -755,7 +785,6 @@ DatabaseClient::Finder::findOnNameResult(const Name& name,
wild ? DATASRC_DATABASE_WILDCARD_CNAME :
DATASRC_DATABASE_FOUND_CNAME,
flags));
-
} else if (wti != found.second.end()) {
bool any(type == RRType::ANY());
isc::log::MessageID lid(wild ? DATASRC_DATABASE_WILDCARD_MATCH :
@@ -788,7 +817,7 @@ DatabaseClient::Finder::findOnNameResult(const Name& name,
// NSEC records in the name of the wildcard, not the substituted one,
// so we need to search the tree again.
ConstRRsetPtr nsec_rrset; // possibly used with DNSSEC, otherwise NULL
- if ((options & FIND_DNSSEC) != 0) {
+ if ((options & FIND_DNSSEC) != 0 && (need_nsec3 == false)) {
if (wild) {
const FoundRRsets wfound = getRRsets(*wildname, NSEC_TYPES(),
true);
@@ -812,7 +841,8 @@ DatabaseClient::Finder::findOnNameResult(const Name& name,
}
return (logAndCreateResult(name, wildname, type, NXRRSET, nsec_rrset,
wild ? DATASRC_DATABASE_WILDCARD_NXRRSET :
- DATASRC_DATABASE_FOUND_NXRRSET, flags));
+ DATASRC_DATABASE_FOUND_NXRRSET, need_nsec3?
+ (flags | RESULT_NSEC3_SIGNED):flags));
}
ZoneFinder::ResultContext
@@ -820,9 +850,10 @@ DatabaseClient::Finder::findNoNameResult(const Name& name, const RRType& type,
FindOptions options,
const DelegationSearchResult& dresult,
std::vector<isc::dns::ConstRRsetPtr>*
- target)
+ target, const bool need_nsec3)
{
const bool dnssec_data = ((options & FIND_DNSSEC) != 0);
+ const bool need_nsec = ((dnssec_data == true) && (need_nsec3 == false));
// On entry to this method, we know that the database doesn't have any
// entry for this name. Before returning NXDOMAIN, we need to check
// for special cases.
@@ -834,17 +865,17 @@ DatabaseClient::Finder::findNoNameResult(const Name& name, const RRType& type,
LOG_DEBUG(logger, DBG_TRACE_DETAILED,
DATASRC_DATABASE_FOUND_EMPTY_NONTERMINAL).
arg(accessor_->getDBName()).arg(name);
- const ConstRRsetPtr nsec = dnssec_data ? findNSECCover(name) :
- ConstRRsetPtr();
+ const ConstRRsetPtr nsec = need_nsec ? findNSECCover(name) :
+ ConstRRsetPtr();
return (ResultContext(NXRRSET, nsec, nsec ? RESULT_NSEC_SIGNED :
- RESULT_DEFAULT));
+ (need_nsec3 ? RESULT_NSEC3_SIGNED : RESULT_DEFAULT)));
} else if ((options & NO_WILDCARD) == 0) {
// It's not an empty non-terminal and wildcard matching is not
// disabled, so check for wildcards. If there is a wildcard match
// (i.e. all results except NXDOMAIN) return it; otherwise fall
// through to the NXDOMAIN case below.
const ResultContext wcontext =
- findWildcardMatch(name, type, options, dresult, target);
+ findWildcardMatch(name, type, options, dresult, target, need_nsec3);
if (wcontext.code != NXDOMAIN) {
return (wcontext);
}
@@ -854,16 +885,41 @@ DatabaseClient::Finder::findNoNameResult(const Name& name, const RRType& type,
// NSEC records if requested).
LOG_DEBUG(logger, DBG_TRACE_DETAILED, DATASRC_DATABASE_NO_MATCH).
arg(accessor_->getDBName()).arg(name).arg(type).arg(getClass());
- const ConstRRsetPtr nsec = dnssec_data ? findNSECCover(name) :
+ const ConstRRsetPtr nsec = need_nsec ? findNSECCover(name) :
ConstRRsetPtr();
return (ResultContext(NXDOMAIN, nsec,
- nsec ? RESULT_NSEC_SIGNED : RESULT_DEFAULT));
+ nsec ? RESULT_NSEC_SIGNED : (need_nsec3 ?
+ RESULT_NSEC3_SIGNED : RESULT_DEFAULT)));
+}
+
+bool
+DatabaseClient::Finder::isNSEC3()
+{
+ // If an NSEC3PARAM RR exists at the zone apex, it's quite likely that
+ // the zone is signed with NSEC3. (If not the zone is more or less broken,
+ // but it's caller's responsibility how to handle such cases).
+ const FoundRRsets nsec3_found = getRRsets(origin_.toText(),
+ NSEC3PARAM_TYPES(), false);
+ const FoundIterator nfi(nsec3_found.second.find(RRType::NSEC3PARAM()));
+ return (nfi != nsec3_found.second.end());
+}
+
+bool
+DatabaseClient::Finder::isNSEC()
+{
+ // If an NSEC RRsets exists at the zone apex, it's quite likely that
+ // the zone is signed with NSEC. (If not the zone is more or less broken,
+ // but it's caller's responsibility how to handle such cases)
+ const FoundRRsets nsec_found = getRRsets(origin_.toText(),
+ NSEC_TYPES(), false);
+ const FoundIterator nfi(nsec_found.second.find(RRType::NSEC()));
+ return (nfi != nsec_found.second.end());
}
ZoneFinder::ResultContext
DatabaseClient::Finder::findInternal(const Name& name, const RRType& type,
std::vector<ConstRRsetPtr>* target,
- const FindOptions options)
+ const FindOptions options, const bool is_nsec3)
{
LOG_DEBUG(logger, DBG_TRACE_DETAILED, DATASRC_DATABASE_FIND_RECORDS)
.arg(accessor_->getDBName()).arg(name).arg(type).arg(getClass());
@@ -902,59 +958,20 @@ DatabaseClient::Finder::findInternal(const Name& name, const RRType& type,
// apex - DNAME is ignored here as it redirects DNS names subordinate to
// the owner name - the owner name itself is not redirected.)
const bool is_origin = (name == getOrigin());
- WantedTypes final_types(FINAL_TYPES());
+ WantedTypes final_types(is_nsec3 ? FINAL_TYPES_NO_NSEC() : FINAL_TYPES());
final_types.insert(type);
const FoundRRsets found = getRRsets(name.toText(), final_types,
!is_origin, NULL,
type == RRType::ANY());
-
- // If an NSEC3PARAM RR exists at the zone apex, it's quite likely that
- // the zone is signed with NSEC3. (If not the zone is more or less broken,
- // but it's caller's responsibility how to handle such cases).
- const FoundRRsets nsec3_found = getRRsets(origin_.toText(),
- NSEC3PARAM_TYPES(), false);
- const FoundIterator nfi(nsec3_found.second.find(RRType::NSEC3PARAM()));
- const bool is_nsec3 = (nfi != nsec3_found.second.end());
if (found.first) {
// Something found at the domain name. Look into it further to get
// the final result.
- if (is_nsec3) {
- const ZoneFinder::ResultContext result_context =
- findOnNameResult(name, type, options, is_origin, found, NULL,
- target);
- if ((result_context.code & NXRRSET) != 0 ||
- (result_context.flags & RESULT_WILDCARD) != 0) {
- return (ZoneFinder::ResultContext(result_context.code,
- result_context.rrset,
- (result_context.flags |
- RESULT_NSEC3_SIGNED)));
- } else {
- return (result_context);
- }
- } else {
- return (findOnNameResult(name, type, options, is_origin, found,
- NULL, target));
- }
+ return (findOnNameResult(name, type, options, is_origin, found,
+ NULL, target, is_nsec3));
} else {
// Did not find anything at all at the domain name, so check for
// subdomains or wildcards.
- if (is_nsec3) {
- // NSEC3 is used for this zone
- const ZoneFinder::ResultContext result_context =
- findNoNameResult(name, type, options, dresult, target);
- if ((result_context.code & (NXRRSET | NXDOMAIN)) != 0 ||
- (result_context.flags & RESULT_WILDCARD) != 0) {
- // NXRRSET NXDOMAIN and wildcard should set RESULT_NSEC3_SIGNED
- return (ZoneFinder::ResultContext(result_context.code,
- result_context.rrset,
- (result_context.flags |
- RESULT_NSEC3_SIGNED)));
- } else {
- return (result_context);
- }
- } else {
- return (findNoNameResult(name, type, options, dresult, target));
- }
+ return (findNoNameResult(name, type, options, dresult, target, is_nsec3));
}
}
diff --git a/src/lib/datasrc/database.h b/src/lib/datasrc/database.h
index afd3efb..6bffd80 100644
--- a/src/lib/datasrc/database.h
+++ b/src/lib/datasrc/database.h
@@ -706,6 +706,17 @@ public:
virtual isc::dns::Name getOrigin() const;
virtual isc::dns::RRClass getClass() const;
+
+ /// \brief check whether zone is signed with nsec3
+ ///
+ /// searches the NSEC3PARAM RRset in the zone apex, if it exists, the
+ /// zone looks signed with nsec3
+ bool isNSEC3();
+ /// \brief check whether zone is signed with nsec
+ ///
+ /// searches the NSEC RRset in the zone apex, if it exists, the
+ /// zone looks signed with nsec
+ bool isNSEC();
/// \brief Find an RRset in the datasource
///
/// Searches the datasource for an RRset of the given name and
@@ -801,7 +812,8 @@ public:
const isc::dns::RRType& type,
std::vector<isc::dns::ConstRRsetPtr>*
target,
- const FindOptions options = FIND_DEFAULT);
+ const FindOptions options = FIND_DEFAULT,
+ const bool need_nsec3 = false);
/// \brief Searches database for RRsets of one domain.
///
@@ -939,7 +951,8 @@ public:
/// \param target If the type happens to be ANY, it will insert all
/// the RRsets of the found name (if any is found) here instead
/// of being returned by the result.
- ///
+ /// \param need_nsec3 When zone is signed with nsec3, no need to find
+ /// nsec rrset
/// \return Tuple holding the result of the search - the RRset of the
/// wildcard records matching the name, together with a status
/// indicating the match type (e.g. CNAME at the wildcard
@@ -952,7 +965,8 @@ public:
const isc::dns::RRType& type,
const FindOptions options,
const DelegationSearchResult& dresult,
- std::vector<isc::dns::ConstRRsetPtr>* target);
+ std::vector<isc::dns::ConstRRsetPtr>* target,
+ const bool need_nsec3);
/// \brief Handle matching results for name
///
@@ -985,7 +999,8 @@ public:
/// it's NULL in the case of non wildcard match.
/// \param target When the query is any, this must be set to a vector
/// where the result will be stored.
- ///
+ /// \param need_nsec3 When zone is signed with nsec3, no need to find
+ /// nsec rrset
/// \return Tuple holding the result of the search - the RRset of the
/// wildcard records matching the name, together with a status
/// indicating the match type (corresponding to the each of
@@ -999,7 +1014,7 @@ public:
const FoundRRsets& found,
const std::string* wildname,
std::vector<isc::dns::ConstRRsetPtr>*
- target);
+ target, const bool need_nsec3);
/// \brief Handle no match for name
///
@@ -1024,7 +1039,8 @@ public:
/// \param target If the query is for type ANY, the successfull result,
/// if there happens to be one, will be returned through the
/// parameter, as it doesn't fit into the result.
- ///
+ /// \param need_nsec3 When zone is signed with nsec3, no need to find
+ /// nsec rrset
/// \return Tuple holding the result of the search - the RRset of the
/// wildcard records matching the name, together with a status
/// indicating the match type (e.g. CNAME at the wildcard
@@ -1035,7 +1051,7 @@ public:
FindOptions options,
const DelegationSearchResult& dresult,
std::vector<isc::dns::ConstRRsetPtr>*
- target);
+ targeti, const bool need_nsec3);
/// Logs condition and creates result
///
diff --git a/src/lib/datasrc/tests/database_unittest.cc b/src/lib/datasrc/tests/database_unittest.cc
index 1dcd615..822ef3f 100644
--- a/src/lib/datasrc/tests/database_unittest.cc
+++ b/src/lib/datasrc/tests/database_unittest.cc
@@ -1460,7 +1460,9 @@ doFindAllTestResult(ZoneFinder& finder, const isc::dns::Name& name,
const isc::dns::Name& expected_name =
isc::dns::Name::ROOT_NAME(),
const ZoneFinder::FindOptions options =
- ZoneFinder::FIND_DEFAULT)
+ ZoneFinder::FIND_DEFAULT,
+ ZoneFinder::FindResultFlags expected_flags =
+ ZoneFinder::RESULT_DEFAULT)
{
SCOPED_TRACE("All test for " + name.toText());
std::vector<ConstRRsetPtr> target;
@@ -1468,6 +1470,15 @@ doFindAllTestResult(ZoneFinder& finder, const isc::dns::Name& name,
EXPECT_TRUE(target.empty());
EXPECT_EQ(expected_result, result->code);
EXPECT_EQ(expected_type, result->rrset->getType());
+ if (expected_flags != ZoneFinder::RESULT_DEFAULT){
+ EXPECT_EQ((expected_flags & ZoneFinder::RESULT_WILDCARD) != 0,
+ result->isWildcard());
+ EXPECT_EQ((expected_flags & ZoneFinder::RESULT_NSEC_SIGNED) != 0,
+ result->isNSECSigned());
+ EXPECT_EQ((expected_flags & ZoneFinder::RESULT_NSEC3_SIGNED) != 0,
+ result->isNSEC3Signed());
+
+ }
RdataIteratorPtr it(result->rrset->getRdataIterator());
std::vector<std::string> rdata;
while (!it->isLast()) {
@@ -2286,46 +2297,80 @@ TYPED_TEST(DatabaseClientTest, dbNegativeCaseFind) {
// signed with NSEC or NSEC3, that is good for upper layer caller.
// First off, everything should be okay if no NSEC3PARAM rrset
- this->updater_ = this->client_->getUpdater(this->zname_, false);
this->expected_rdatas_.clear();
this->expected_sig_rdatas_.clear();
- doFindTest(this->updater_->getFinder(),
- isc::dns::Name("doesnotexist.example.org."),
- this->qtype_, this->qtype_, this->rrttl_,
+ this->expected_rdatas_.push_back("www2.example.org. A AAAA NSEC RRSIG");
+ this->expected_sig_rdatas_.push_back("NSEC 5 3 3600 20000101000000 "
+ "20000201000000 12345 example.org. "
+ "FAKEFAKEFAKE");
+ boost::shared_ptr<DatabaseClient::Finder> finder(this->getFinder());
+ doFindTest(*finder, isc::dns::Name("www1.example.org."),
+ this->qtype_, isc::dns::RRType::NSEC(), this->rrttl_,
ZoneFinder::NXDOMAIN, this->expected_rdatas_,
- this->expected_sig_rdatas_);
+ this->expected_sig_rdatas_, ZoneFinder::RESULT_NSEC_SIGNED,
+ Name("www.example.org."), ZoneFinder::FIND_DNSSEC);
+ this->expected_rdatas_.clear();
+ this->expected_sig_rdatas_.clear();
+ this->expected_rdatas_.push_back("www2.example.org. A AAAA NSEC RRSIG");
+ this->expected_sig_rdatas_.push_back("NSEC 5 3 3600 20000101000000 "
+ "20000201000000 12345 example.org. "
+ "FAKEFAKEFAKE");
+ doFindTest(*finder, isc::dns::Name("www.example.org."),
+ isc::dns::RRType::TXT(), isc::dns::RRType::NSEC(),
+ this->rrttl_, ZoneFinder::NXRRSET,
+ this->expected_rdatas_, this->expected_sig_rdatas_,
+ ZoneFinder::RESULT_NSEC_SIGNED, isc::dns::Name::ROOT_NAME(),
+ ZoneFinder::FIND_DNSSEC);
this->expected_rdatas_.clear();
this->expected_sig_rdatas_.clear();
- doFindTest(this->updater_->getFinder(),
- isc::dns::Name("www.example.org."),
- isc::dns::RRType::TXT(), isc::dns::RRType::TXT(),
- this->rrttl_,
- ZoneFinder::NXRRSET,
- this->expected_rdatas_, this->expected_sig_rdatas_);
this->expected_rdatas_.push_back("192.0.2.5");
this->expected_sig_rdatas_.push_back("A 5 3 3600 20000101000000 "
"20000201000000 12345 example.org. "
"FAKEFAKEFAKE");
- doFindTest(this->updater_->getFinder(),
- isc::dns::Name("b.a.wild.example.org"),
- this->qtype_, this->qtype_, this->rrttl_, ZoneFinder::SUCCESS,
- this->expected_rdatas_, this->expected_sig_rdatas_,
- ZoneFinder::RESULT_WILDCARD);
+ doFindTest(*finder, isc::dns::Name("b.a.wild.example.org"),
+ isc::dns::RRType::A(), isc::dns::RRType::A(),
+ this->rrttl_, ZoneFinder::SUCCESS, this->expected_rdatas_,
+ this->expected_sig_rdatas_,
+ (ZoneFinder::RESULT_WILDCARD | ZoneFinder::RESULT_NSEC_SIGNED),
+ isc::dns::Name("b.a.wild.example.org"), ZoneFinder::FIND_DNSSEC);
this->expected_rdatas_.clear();
this->expected_sig_rdatas_.clear();
- doFindTest(this->updater_->getFinder(),
- isc::dns::Name("b.a.wild.example.org"),
- isc::dns::RRType::TXT(), isc::dns::RRType::TXT(),
+ this->expected_rdatas_.push_back("cancel.here.wild.example.org. A NSEC "
+ "RRSIG");
+ this->expected_sig_rdatas_.push_back("NSEC 5 3 3600 20000101000000 "
+ "20000201000000 12345 example.org. "
+ "FAKEFAKEFAKE");
+ doFindTest(*finder, isc::dns::Name("b.a.wild.example.org"),
+ isc::dns::RRType::TXT(), isc::dns::RRType::NSEC(),
this->rrttl_, ZoneFinder::NXRRSET, this->expected_rdatas_,
- this->empty_rdatas_,
- ZoneFinder::RESULT_WILDCARD);
-
+ this->expected_sig_rdatas_, (ZoneFinder::RESULT_WILDCARD |
+ ZoneFinder::RESULT_NSEC_SIGNED),Name("*.wild.example.org"),
+ ZoneFinder::FIND_DNSSEC);
+ this->updater_ = this->client_->getUpdater(this->zname_, false);
+ this->rrset_.reset(new RRset(this->zname_, this->qclass_,
+ isc::dns::RRType::NSEC3PARAM(), this->rrttl_));
+ this->rrset_->addRdata(rdata::createRdata(isc::dns::RRType::NSEC3PARAM(),
+ this->rrset_->getClass(), "1 0 12 aabbccdd"));
+ this->updater_->addRRset(*this->rrset_);
+ this->updater_->commit();
+ try {
+ this->expected_rdatas_.clear();
+ this->expected_sig_rdatas_.clear();
+ doFindTest(this->updater_->getFinder(), isc::dns::Name("www1.example.org."),
+ this->qtype_, this->qtype_, this->rrttl_, ZoneFinder::NXDOMAIN,
+ this->expected_rdatas_, this->expected_sig_rdatas_,
+ ZoneFinder::RESULT_NSEC3_SIGNED, isc::dns::Name::ROOT_NAME(),
+ ZoneFinder::FIND_DNSSEC);
+ } catch (const DataSourceError&) {}
+ // The following test should be tested in zone which is signed by NSEC3
+#if 0
// Then, if NSEC3PARAM exists at the origin, the flags of result should
// contain RESULT_NSEC3_SIGNED flag when NXDOMAIN NXRRSET or wildcard
// Add NSEC3PARAM RRSET at the apex of the zone. It looks weird if the
// zone only has NSEC3PARM RRset (but no NSEC3s), but it is okay for unit
// test.
+ this->updater_ = this->client_->getUpdater(this->zname_, false);
this->rrset_.reset(new RRset(this->zname_, this->qclass_,
isc::dns::RRType::NSEC3PARAM(),
this->rrttl_));
@@ -2333,49 +2378,47 @@ TYPED_TEST(DatabaseClientTest, dbNegativeCaseFind) {
this->rrset_->getClass(),
"1 0 12 aabbccdd"));
this->updater_->addRRset(*this->rrset_);
-
// check NXDOMAIN
this->expected_rdatas_.clear();
this->expected_sig_rdatas_.clear();
doFindTest(this->updater_->getFinder(),
- isc::dns::Name("doesnotexist.example.org."),
- this->qtype_, this->qtype_, this->rrttl_,
- ZoneFinder::NXDOMAIN, this->expected_rdatas_,
- this->expected_sig_rdatas_,
- ZoneFinder::RESULT_NSEC3_SIGNED);
+ isc::dns::Name("www1.example.org."), this->qtype_, this->qtype_,
+ this->rrttl_, ZoneFinder::NXDOMAIN, this->expected_rdatas_,
+ this->expected_sig_rdatas_, ZoneFinder::RESULT_NSEC3_SIGNED,
+ isc::dns::Name::ROOT_NAME(), ZoneFinder::FIND_DNSSEC);
// check NXRRSET
this->expected_rdatas_.clear();
this->expected_sig_rdatas_.clear();
- doFindTest(this->updater_->getFinder(),
- isc::dns::Name("www.example.org."),
+ doFindTest(this->updater_->getFinder(), isc::dns::Name("www.example.org."),
isc::dns::RRType::TXT(), isc::dns::RRType::TXT(), this->rrttl_,
ZoneFinder::NXRRSET, this->expected_rdatas_,
- this->expected_sig_rdatas_, ZoneFinder::RESULT_NSEC3_SIGNED);
+ this->expected_sig_rdatas_, ZoneFinder::RESULT_NSEC3_SIGNED,
+ isc::dns::Name::ROOT_NAME(), ZoneFinder::FIND_DNSSEC);
// check flags if wildcard matches
this->expected_rdatas_.push_back("192.0.2.5");
this->expected_sig_rdatas_.push_back("A 5 3 3600 20000101000000 "
"20000201000000 12345 example.org. "
"FAKEFAKEFAKE");
- doFindTest(this->updater_->getFinder(),
- isc::dns::Name("b.a.wild.example.org"),
+ doFindTest(this->updater_->getFinder(), isc::dns::Name("b.a.wild.example.org"),
this->qtype_, this->qtype_, this->rrttl_, ZoneFinder::SUCCESS,
this->expected_rdatas_, this->expected_sig_rdatas_,
- ZoneFinder::RESULT_WILDCARD | ZoneFinder::RESULT_NSEC3_SIGNED);
+ ZoneFinder::RESULT_WILDCARD | ZoneFinder::RESULT_NSEC3_SIGNED,
+ isc::dns::Name::ROOT_NAME(), ZoneFinder::FIND_DNSSEC);
// check flags if NXRRSET in wildcard case
this->expected_rdatas_.clear();
this->expected_sig_rdatas_.clear();
- doFindTest(this->updater_->getFinder(),
- isc::dns::Name("b.a.wild.example.org"),
+ doFindTest(this->updater_->getFinder(), isc::dns::Name("b.a.wild.example.org"),
isc::dns::RRType::TXT(), isc::dns::RRType::TXT(),
this->rrttl_, ZoneFinder::NXRRSET, this->expected_rdatas_,
- this->empty_rdatas_,
- ZoneFinder::RESULT_WILDCARD | ZoneFinder::RESULT_NSEC3_SIGNED);
+ this->empty_rdatas_, (ZoneFinder::RESULT_WILDCARD |
+ ZoneFinder::RESULT_NSEC3_SIGNED),
+ isc::dns::Name::ROOT_NAME(), ZoneFinder::FIND_DNSSEC);
+#endif
}
TYPED_TEST(DatabaseClientTest, NXDOMAIN_NSEC) {
// The domain doesn't exist, so we must get the right NSEC
boost::shared_ptr<DatabaseClient::Finder> finder(this->getFinder());
-
this->expected_rdatas_.push_back("www2.example.org. A AAAA NSEC RRSIG");
this->expected_sig_rdatas_.push_back("NSEC 5 3 3600 20000101000000 "
"20000201000000 12345 example.org. "
diff --git a/src/lib/datasrc/tests/zone_finder_context_unittest.cc b/src/lib/datasrc/tests/zone_finder_context_unittest.cc
index 5639f26..cbd9095 100644
--- a/src/lib/datasrc/tests/zone_finder_context_unittest.cc
+++ b/src/lib/datasrc/tests/zone_finder_context_unittest.cc
@@ -297,7 +297,6 @@ TEST_P(ZoneFinderContextTest, getAdditionalForAny) {
vector<ConstRRsetPtr> all_rrsets;
ZoneFinderContextPtr ctx = finder_->findAll(qzone_, all_rrsets);
EXPECT_EQ(ZoneFinder::SUCCESS, ctx->code);
-
ctx->getAdditional(REQUESTED_BOTH, result_sets_);
rrsetsCheck("ns1.example.org. 3600 IN A 192.0.2.1\n"
"ns1.example.org. 3600 IN AAAA 2001:db8::1\n"
More information about the bind10-changes
mailing list