BIND 10 #1585: auth::Query NSEC3 support: Unsigned referrals case

BIND 10 Development do-not-reply at isc.org
Sat Jan 21 03:24:53 UTC 2012 

#1585: auth::Query NSEC3 support: Unsigned referrals case
-------------------------------------+-------------------------------------
                   Reporter:         |                 Owner:
  jinmei                             |                Status:  new
                       Type:  task   |             Milestone:  Next-Sprint-
                   Priority:  major  |  Proposed
                  Component:         |            Resolution:
  b10-auth                           |             Sensitive:  0
                   Keywords:         |           Sub-Project:  DNS
            Defect Severity:  N/A    |  Estimated Difficulty:  0
Feature Depending on Ticket:  NSEC3  |           Total Hours:  0
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------
Description changed by jinmei:

Old description:

> This task implements RFC5155 7.2.7 and further updates #1573 in case
> it results in NXRRSET, and if the returned RRset is not of NSEC:
> - call findNSEC3(recursive = true) for the delegation name.  It will
>   return either the NSEC3 that matches the delegation name or the
>   NSEC3 that matches the closest provable enclosure of the
>   delegation name (but different from it).  These two cases can be
>   distinguished by label comparison.
> - If it's the NSEC3 of the closest provable enclosure, construct the
>   next closer name and call findNSEC3(recursive = false) for it.  It
>   will return the NSEC3 that covers the next closer.  The result
>   shouldn't be an exact match; otherwise wed' probably return
>   SERVFAIL.
> - add the returned NSEC3s to the authority section.
>
> Depends on #1431 and #1573.

New description:

 (updated based on #1431 discussion)

 This task implements RFC5155 7.2.7 and further updates #1573 in case
 it results in NXRRSET with RESULT_NSEC3_SIGNED flag:
 - call findNSEC3(recursive=true) for the delegation name.  It will
   return either the NSEC3 that matches the delegation name or the
   closest encloser proof for the delegation name (in case of that
   delegation is optout'ed).  These two cases can be distinguished by
   checking whether next_proof is null.
 - add the returned NSEC3(s) to the authority section.

 Depends on #1431 and #1573.

--

-- 
Ticket URL: <http://bind10.isc.org/ticket/1585#comment:1>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list