BIND 10 #1580: auth::Query NSEC3 support: Name Error case

BIND 10 Development do-not-reply at isc.org
Sat Jan 21 02:21:21 UTC 2012 

#1580: auth::Query NSEC3 support: Name Error case
-------------------------------------+-------------------------------------
                   Reporter:         |                 Owner:
  jinmei                             |                Status:  new
                       Type:  task   |             Milestone:  Next-Sprint-
                   Priority:  major  |  Proposed
                  Component:         |            Resolution:
  b10-auth                           |             Sensitive:  0
                   Keywords:         |           Sub-Project:  DNS
            Defect Severity:  N/A    |  Estimated Difficulty:  0
Feature Depending on Ticket:  NSEC3  |           Total Hours:  0
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------
Description changed by jinmei:

Old description:

> This task implements RFC5155 7.2.2 (and (7.2.9) and
> update ZoneFinder::NXDOMAIN case of Query::process():
>
> - call findNSEC3(recursive = true) for the returned rrset.getName().
>   it will return the NSEC3 of the closest provable enclosure.
> - construct the next closer name and call findNSEC3(recursive =
>   false) for it.  It will return NSEC3 covering the next closer.
>   The result should be covering (not exact); otherwise it means a
>   run-time collision, so we should return SERVFAIL as described
>   in RFC5155 7.2.9.
> - construct the possible best wildcard name from the closest
>   provable enclosure and call findNSEC3(recursive = false) for it.
>   It will return NSEC3 covering the wildcard name.
> - add the returned NSEC3s to the authority section
>
> This task depends on #1431.

New description:

 (updated based on #1431 discussion)

 This task implements RFC5155 7.2.2 (and 7.2.9) and
 update ZoneFinder::NXDOMAIN case of Query::process():

 - call findNSEC3(qname, recursive=true).  It should return
   the closest encloser proof. If next_proof is null, it means a
   run-time collision (or the zone is otherwise broken), so we should
   return SERVFAIL as described in RFC5155 7.2.9.
 - construct the possible best wildcard name from the closest
   provable encloser and call findNSEC3(recursive = false) for it.
   It will return NSEC3 covering the wildcard name.
 - add the returned NSEC3s to the authority section

 This task depends on #1431.

--

-- 
Ticket URL: <http://bind10.isc.org/ticket/1580#comment:2>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list