BIND 10 #1177: NSEC support in new data source

BIND 10 Development do-not-reply at isc.org
Mon Sep 26 11:27:52 UTC 2011 

#1177: NSEC support in new data source
-------------------------------------+-------------------------------------
                   Reporter:         |                 Owner:  jinmei
  jinmei                             |                Status:  reviewing
                       Type:  task   |             Milestone:
                   Priority:  major  |  Sprint-20110927
                  Component:  data   |            Resolution:
  source                             |             Sensitive:  0
                   Keywords:         |           Sub-Project:  DNS
            Defect Severity:  N/A    |  Estimated Difficulty:  5
Feature Depending on Ticket:         |           Total Hours:  0
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------
Changes (by vorner):

 * owner:  vorner => jinmei


Comment:

 Hello

 Replying to [comment:18 jinmei]:
 > Case 2 shouldn't trigger an exception because it's a completely valid
 > (and actually today's most common) case.

 I think that the higher level should not set FIND_DNSSEC in that case, to
 avoid looking for the data.

 So, in that sense, it shouldn't happen here as well.

 > In case 3, we should probably thrown DataSourceError, which would
 > subsequently result in SERVFAIL to the query.

 ACK.

 > But the notion of "is_signed" flag is beyond the scope of this ticket,
 > I cannot implement this idea yet.  So, as a short term compromise, I'd
 > suggest the following logic for now:

 Yes, agreed. But it seems to be needed. I added some FIXME notes about the
 places needing update and I'll create the ticket when merging this.

 > If the above makes sense, my latest suggestion is to slightly adjust
 > the code to implement the latter logic (we probably need a couple of
 > additional tests), create a new ticket for the notion of "is signed"
 > flag of a zone, and refer to this discussion with a note that this
 > issues should be solved in that ticket, too.

 I think it should be implemented now.

 I also unified the code that gets the covering NSEC RRset, so they are the
 same.

 > Ah, okay, I was confused.  Then the code and test are okay (except the
 > above bug regarding exception).  This also makes me wonder we should
 > describe in ZoneFinder::find() more details about what's expected in
 > various negative cases especially when FIND_DNSSEC is on.

 I added some documentation, hopefully I didn't forget anything that is not
 clear.

-- 
Ticket URL: <https://bind10.isc.org/ticket/1177#comment:20>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list