BIND 10 #1583: auth::Query NSEC3 support: Wildcard no data case

BIND 10 Development do-not-reply at isc.org
Sat Jan 21 02:39:11 UTC 2012 

#1583: auth::Query NSEC3 support: Wildcard no data case
-------------------------------------+-------------------------------------
                   Reporter:         |                 Owner:
  jinmei                             |                Status:  new
                       Type:  task   |             Milestone:  Next-Sprint-
                   Priority:  major  |  Proposed
                  Component:         |            Resolution:
  b10-auth                           |             Sensitive:  0
                   Keywords:         |           Sub-Project:  DNS
            Defect Severity:  N/A    |  Estimated Difficulty:  0
Feature Depending on Ticket:         |           Total Hours:  0
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------
Description changed by jinmei:

Old description:

> This task implements RFC5155 7.2.5 and updates
> ZoneFinder::WILDCARD_NXRRSET case of Query::process():
> - call findNSEC3(recursive = false) for rrset.getName() of the
>   returned rrset (it's for the matching wildcard).  It will return
>   the NSEC3 that matches the wildcard.  If the result is not exact
>   matching we'd probably return SERVFAIL.
> - call findNSEC3(recursive = true) for qname.  It will return the
>   NSEC3 of the provable closest enclosure.  Its label length should
>   be shorter than that of qname; otherwise we'd probably return
>   SERVFAIL.
> - construct the next closer name based on the closest enclosure and
>   qname, and call findNSEC3(recursive = false) for it.  It will
>   return the NSEC3 covering the next closer.  This shouldn't be an
>   exact match; otherwise we'd probably return SERVFAIL.
> - add the returned NSEC3s to the authority section
>
> Depends on #1431.

New description:

 (updated based on #1431 discussion)

 This task implements RFC5155 7.2.5 and updates ZoneFinder::NXRRSET
 case (with RESULT_WILDCARD and RESULT_NSEC3_SIGNED flags) of
 Query::process():

 - call findNSEC3(recursive=true) for qname.  It will return the
   closest encloser proof of the non existence of the qname.  If
   next_proof is null, it's a run time collision or otherwise broken
   zone, so return SERVFAIL.
 - construct the matching wildcard name.  it's a wildcard label (*)
   prepended to the closest enclosure identified in the first step.
   then call findNSEC3(recursive=false) for the wildcard name.  It
   should return the matching NSEC for the wildcard.  If it's not
   matching, return SERVFAIL.
 - add the returned NSEC3s to the authority section

 Depends on #1431.

--

-- 
Ticket URL: <http://bind10.isc.org/ticket/1583#comment:1>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list