BIND 10 #1573: auth::Query needs to return DS for secure delegation

Thu Jan 26 14:40:13 UTC 2012

#1573: auth::Query needs to return DS for secure delegation
-------------------------------------+-------------------------------------
                   Reporter:         |                 Owner:  jinmei
  jinmei                             |                Status:  reviewing
                       Type:  task   |             Milestone:
                   Priority:         |  Sprint-20120207
  critical                           |            Resolution:
                  Component:         |             Sensitive:  0
  b10-auth                           |           Sub-Project:  DNS
                   Keywords:         |  Estimated Difficulty:  5
            Defect Severity:  N/A    |           Total Hours:  4
Feature Depending on Ticket:         |
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------
Changes (by jelte):

 * owner:  jelte => jinmei

Comment:

 Replying to [comment:6 jinmei]:
 > First, I made a couple of trivial editorial fixes.
 >
 > '''query.cc'''
 >
 > - I'd suggest rename parameter name for `ZoneFinder` from "zone" to
 >   "finder", partly for consistency, and partly because it's more
 >   appropriate in terms of what it is.

 ok

 > - If DS isn't found (and the zone is signed with NSEC) we need to add
 >   NSEC (maybe it was not clear from the ticket description, if so,
 >   sorry about that).  I cannot find normative text about this in
 >   RFC4035 (it only provides an example in an appendix), but that's how
 >   BIND 9 works, and apparently so do all root servers.  Note also that
 >   the header file documentation would also have to be updated.

 doh, of course. Actually it is mentioned in section 3.1.4

 abstracted the handling of NXRRSET response for this, to avoid duplicate
 code.

 > - We should also probably handle a pathological case where find(DS)
 >   results in neither SUCCESS or NXRRSET (return SERVFAIL?)
 >

 check

 > '''unittest'''
 >

 Snipped your comments here, I radically changed the additions; instead of
 overloading the existing delegation.example.com. I decided it would be
 cleaner to add a few more delegations specifically for these tests;
 signed-delegation, unsigned-delegation, and bad-signed-delegation (which
 errors when looking for the DS record), with out-of-zone NS targets, so
 the response does not get cluttered with other info.

 > - Not really related to this branch, but I noticed one oddity in the
 >   additional section: glue RRs should normally not have RRSIGs.  But
 >   it's probably okay for the Query class to include them if it happens
 >   to be passed such odd RRSIGs.
 >

 probably better than to trip over it.

 > '''other'''
 >
 > maybe we need a changelog for this?

 Ack.

 [func] jelte
 The in-memory datasource now correctly includes DS records (or the denial
 of its existence if NSEC is used) when returning a delegation from a
 signed zone.
 (Trac 1573, git ###)

-- 
Ticket URL: <http://bind10.isc.org/ticket/1573#comment:8>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development