BIND 10 master, updated. 68d24e65c9c3dfee38adfbe1c93367b0083f9a58 Merge branch 'trac2226'
BIND 10 source code commits
bind10-changes at lists.isc.org
Wed Feb 5 06:36:40 UTC 2014
The branch, master has been updated
via 68d24e65c9c3dfee38adfbe1c93367b0083f9a58 (commit)
via 3ebfb01d35b7571e8aaea6f1b96ef7336b94feb7 (commit)
via 1538645f85c6b99be1d4d52ed2a1d4cbf80ecdd6 (commit)
from c21653aa339f403136a96c06a127b1796c203d78 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 68d24e65c9c3dfee38adfbe1c93367b0083f9a58
Merge: c21653a 3ebfb01
Author: Mukund Sivaraman <muks at isc.org>
Date: Wed Feb 5 11:56:08 2014 +0530
Merge branch 'trac2226'
-----------------------------------------------------------------------
Summary of changes:
src/bin/auth/query.cc | 11 +++++++++++
src/bin/auth/tests/query_unittest.cc | 7 +++++++
tests/lettuce/features/queries.feature | 22 ++++++++++++++++++++++
3 files changed, 40 insertions(+)
-----------------------------------------------------------------------
diff --git a/src/bin/auth/query.cc b/src/bin/auth/query.cc
index 9f92316..9d6fbfa 100644
--- a/src/bin/auth/query.cc
+++ b/src/bin/auth/query.cc
@@ -379,6 +379,17 @@ Query::process(datasrc::ClientList& client_list,
response_->setRcode(Rcode::SERVFAIL());
return;
}
+
+ if (qtype == RRType::RRSIG()) {
+ // We will not serve RRSIGs directly. See #2226 and the
+ // following thread for discussion why:
+ // http://www.ietf.org/mail-archive/web/dnsext/current/msg07123.html
+ // RRSIGs go together with their covered RRset.
+ response_->setHeaderFlag(Message::HEADERFLAG_AA);
+ response_->setRcode(Rcode::REFUSED());
+ return;
+ }
+
ZoneFinder& zfinder = *result.finder_;
// We have authority for a zone that contain the query name (possibly
diff --git a/src/bin/auth/tests/query_unittest.cc b/src/bin/auth/tests/query_unittest.cc
index f374a87..193fb91 100644
--- a/src/bin/auth/tests/query_unittest.cc
+++ b/src/bin/auth/tests/query_unittest.cc
@@ -1215,6 +1215,13 @@ TEST_P(QueryTest, exactMatchMultipleQueries) {
www_a_txt, zone_ns_txt, ns_addrs_txt);
}
+TEST_P(QueryTest, qtypeIsRRSIG) {
+ // Directly querying for RRSIGs should result in rcode=REFUSED.
+ EXPECT_NO_THROW(query.process(*list_, qname, RRType::RRSIG(), response));
+ responseCheck(response, Rcode::REFUSED(), AA_FLAG, 0, 0, 0,
+ "", "", "");
+}
+
TEST_P(QueryTest, exactMatchIgnoreSIG) {
// Check that we do not include the RRSIG when not requested even when
// we receive it from the data source.
diff --git a/tests/lettuce/features/queries.feature b/tests/lettuce/features/queries.feature
index 30e3c6b..8fcee7c 100644
--- a/tests/lettuce/features/queries.feature
+++ b/tests/lettuce/features/queries.feature
@@ -331,6 +331,28 @@ Feature: Querying feature
| qryreferral | 1 |
| rcode.noerror | 1 |
+ Scenario: RRSIG query
+ # Directly querying for RRSIGs should result in rcode=REFUSED.
+ Given I have bind10 running with configuration nsec3/nsec3_auth.config
+ And wait for bind10 stderr message BIND10_STARTED_CC
+ And wait for bind10 stderr message CMDCTL_STARTED
+ And wait for bind10 stderr message AUTH_SERVER_STARTED
+
+ bind10 module Auth should be running
+ And bind10 module Resolver should not be running
+ And bind10 module Xfrout should not be running
+ And bind10 module Zonemgr should not be running
+ And bind10 module Xfrin should not be running
+ And bind10 module Stats should not be running
+ And bind10 module StatsHttpd should not be running
+
+ A dnssec query for example. type RRSIG should have rcode REFUSED
+ The last query response should have flags qr aa
+ The last query response should have edns_flags do
+ The last query response should have ancount 0
+ The last query response should have nscount 0
+ The last query response should have adcount 1
+
Scenario: SSHFP query
# We are testing one more RR type for a normal successful case
Given I have bind10 running with configuration example.org.inmem.config
More information about the bind10-changes
mailing list