BIND 10 master, updated. b4b8c1e5392a8aeee4402bc97f776cfc889f43c6 [master] Merge branch 'master' of ssh://git.bind10.isc.org/var/bind10/git/bind10 commit.
BIND 10 source code commits
bind10-changes at lists.isc.org
Tue Feb 12 18:02:25 UTC 2013
The branch, master has been updated
via b4b8c1e5392a8aeee4402bc97f776cfc889f43c6 (commit)
via 24c235cb1b379c6472772d340e21577c3460b742 (commit)
via 78b66fd894cd71185baeef5f4eddce6c9572278e (commit)
via a272beeb913cd0adaf04080b0f4284e1510085a6 (commit)
via 0b249de43aad4472b98dfb147a7f3ac1c15c1d3c (commit)
via 00116a66e0d365563789ff4ed56cb3a08cb95156 (commit)
from 70632300d70401c696161dff39ad126ff98663df (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b4b8c1e5392a8aeee4402bc97f776cfc889f43c6
Merge: 24c235c 7063230
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Tue Feb 12 10:01:54 2013 -0800
[master] Merge branch 'master' of ssh://git.bind10.isc.org/var/bind10/git/bind10
commit.
commit 24c235cb1b379c6472772d340e21577c3460b742
Merge: 88b964a 78b66fd
Author: JINMEI Tatuya <jinmei at isc.org>
Date: Tue Feb 12 09:59:39 2013 -0800
[master] Merge branch 'trac2659'
-----------------------------------------------------------------------
Summary of changes:
src/bin/auth/query.cc | 20 ++++----
src/bin/auth/tests/query_unittest.cc | 48 +++++++++++++-------
src/bin/auth/tests/testdata/example-base-inc.zone | 5 ++
src/bin/auth/tests/testdata/example-nsec3-inc.zone | 2 +-
4 files changed, 50 insertions(+), 25 deletions(-)
-----------------------------------------------------------------------
diff --git a/src/bin/auth/query.cc b/src/bin/auth/query.cc
index a2a4117..c5b9b16 100644
--- a/src/bin/auth/query.cc
+++ b/src/bin/auth/query.cc
@@ -298,14 +298,18 @@ Query::addNXRRsetProof(ZoneFinder& finder,
addWildcardNXRRSETProof(finder, db_context.rrset);
}
} else if (db_context.isNSEC3Signed() && !db_context.isWildcard()) {
- if (*qtype_ == RRType::DS()) {
- // RFC 5155, Section 7.2.4. Add either NSEC3 for the qname or
- // closest (provable) encloser proof in case of optout.
- addClosestEncloserProof(finder, *qname_, true);
- } else {
- // RFC 5155, Section 7.2.3. Just add NSEC3 for the qname.
- addNSEC3ForName(finder, *qname_, true);
- }
+ // Section 7.2.3 and 7.2.4 of RFC 5155 with clarification by errata
+ // http://www.rfc-editor.org/errata_search.php?rfc=5155&eid=3441
+ // In the end, these two cases are basically the same: if the qname is
+ // equal to or derived from insecure delegation covered by an Opt-Out
+ // NSEC3 RR, include the closest provable encloser proof; otherwise we
+ // have a matching NSEC3, so we include it.
+ //
+ // Note: This implementation does not check in the former case whether
+ // the NSEC3 for the next closer has Opt-Out bit on; this must be the
+ // case as long as the zone is correctly signed, and if it's broken
+ // we'd just return what we are given and have the validator detect it.
+ addClosestEncloserProof(finder, *qname_, true);
} else if (db_context.isNSEC3Signed() && db_context.isWildcard()) {
// Case for RFC 5155 Section 7.2.5: add closest encloser proof for the
// qname, construct the matched wildcard name and add NSEC3 for it.
diff --git a/src/bin/auth/tests/query_unittest.cc b/src/bin/auth/tests/query_unittest.cc
index 9822768..3416acb 100644
--- a/src/bin/auth/tests/query_unittest.cc
+++ b/src/bin/auth/tests/query_unittest.cc
@@ -217,6 +217,13 @@ public:
"t644ebqk9bibcna874givr6joj62mlhv";
hash_map_[Name("www1.uwild.example.com")] =
"q04jkcevqvmu85r014c7dkba38o0ji6r"; // a bit larger than H(www)
+
+ // For empty-non-terminal derived from insecure delegation (we don't
+ // need a hash for the delegation point itself for that test). the
+ // hash for empty name is the same as that for unsigned-delegation
+ // above, as the case is similar to that.
+ hash_map_[Name("empty.example.com")] =
+ "q81r598950igr1eqvc60aedlq66425b5"; // a bit larger than H(www)
}
virtual string calculate(const Name& name) const {
const NSEC3HashMap::const_iterator found = hash_map_.find(name);
@@ -262,8 +269,6 @@ public:
// to child zones are identified by the existence of non origin NS records.
// Another special name is "dname.example.com". Query names under this name
// will result in DNAME.
-// This mock zone doesn't handle empty non terminal nodes (if we need to test
-// such cases find() should have specialized code for it).
class MockZoneFinder : public ZoneFinder {
public:
MockZoneFinder() :
@@ -2468,21 +2473,32 @@ TEST_P(QueryTest, nxrrsetWithNSEC3) {
NULL, mock_finder->getOrigin());
}
-// Check the exception is correctly raised when the NSEC3 thing isn't in the
-// zone
-TEST_F(QueryTestForMockOnly, nxrrsetMissingNSEC3) {
- // This is a broken data source scenario; works only with mock.
-
- mock_finder->setNSEC3Flag(true);
- // We just need it to return false for "matched". This indicates
- // there's no exact match for NSEC3 on www.example.com.
- ZoneFinder::FindNSEC3Result nsec3(false, 0, ConstRRsetPtr(),
- ConstRRsetPtr());
- mock_finder->setNSEC3Result(&nsec3);
+TEST_P(QueryTest, nxrrsetDerivedFromOptOutNSEC3) {
+ // In this test we emulate the situation where an empty non-terminal name
+ // is derived from insecure delegation and covered by an opt-out NSEC3.
+ // In the actual test data the covering NSEC3 really has the opt-out
+ // bit set, although the implementation doesn't check it anyway.
+ enableNSEC3(rrsets_to_add_);
+ query.process(*list_, Name("empty.example.com"), RRType::TXT(), response,
+ true);
- EXPECT_THROW(query.process(*list_, Name("www.example.com"),
- RRType::TXT(), response, true),
- Query::BadNSEC3);
+ // The closest provable encloser is the origin name (example.com.), and
+ // the next closer is the empty name itself, which is expected to be
+ // covered by an opt-out NSEC3 RR. The response should contain these 2
+ // NSEC3s.
+ responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 6, 0, NULL,
+ (string(soa_minttl_txt) +
+ string("example.com. 0 IN RRSIG ") +
+ getCommonRRSIGText("SOA") + "\n" +
+ string(nsec3_apex_txt) + "\n" +
+ nsec3_hash_.calculate(Name("example.com.")) +
+ ".example.com. 3600 IN RRSIG " +
+ getCommonRRSIGText("NSEC3") + "\n" +
+ string(nsec3_www_txt) + "\n" +
+ nsec3_hash_.calculate(Name("www.example.com.")) +
+ ".example.com. 3600 IN RRSIG " +
+ getCommonRRSIGText("NSEC3") + "\n").c_str(),
+ NULL, mock_finder->getOrigin());
}
TEST_P(QueryTest, nxrrsetWithNSEC3_ds_exact) {
diff --git a/src/bin/auth/tests/testdata/example-base-inc.zone b/src/bin/auth/tests/testdata/example-base-inc.zone
index bbcbef1..8b76132 100644
--- a/src/bin/auth/tests/testdata/example-base-inc.zone
+++ b/src/bin/auth/tests/testdata/example-base-inc.zone
@@ -234,3 +234,8 @@ bad-delegation.example.com. 3600 IN NS ns.example.net.
;; or NSEC3 that proves it.
;var=nosec_delegation_txt
nosec-delegation.example.com. 3600 IN NS ns.nosec.example.net.
+
+;; Setup for emulating insecure delegation that contain an empty name.
+;; the delegation itself isn't expected to be used directly in tests.
+;var=
+delegation.empty.example.com. 3600 IN NS ns.delegation.empty.example
diff --git a/src/bin/auth/tests/testdata/example-nsec3-inc.zone b/src/bin/auth/tests/testdata/example-nsec3-inc.zone
index 7742df0..d480ffe 100644
--- a/src/bin/auth/tests/testdata/example-nsec3-inc.zone
+++ b/src/bin/auth/tests/testdata/example-nsec3-inc.zone
@@ -1,4 +1,4 @@
-;; See query_testzone_data.txt for general notes.
+;; See example-base-inc.zone for general notes.
;; NSEC3PARAM. This is needed for database-based data source to
;; signal the zone is NSEC3-signed
More information about the bind10-changes
mailing list