BIND 10 #2420: allow loading zones containing an orphan RRSIG

BIND 10 Development do-not-reply at isc.org
Tue Nov 13 02:50:30 UTC 2012 

#2420: allow loading zones containing an orphan RRSIG
-------------------------------------+-------------------------------------
                   Reporter:         |                 Owner:  jinmei
  jinmei                             |                Status:  accepted
                       Type:         |             Milestone:
  defect                             |  Sprint-20121120
                   Priority:         |            Resolution:
  medium                             |             Sensitive:  0
                  Component:  data   |           Sub-Project:  DNS
  source                             |  Estimated Difficulty:  5
                   Keywords:         |           Total Hours:  0
            Defect Severity:  High   |
Feature Depending on Ticket:         |
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------

Comment (by jinmei):

 trac2420 is ready for review.

 The main change is not big, but I needed to update various parts of
 the implementation and add quite a few numbers of tests to catch
 various different cases.  So the entire diff is a bit big and changes
 are scattered.  Here's some suggested instruction for review in the
 hope that it might reduce the pain:

 - The first commit (89a6779) is a pure refactoring (no behavior
   change), and only for the convenience of tests that are added later.
   I suggest reviewing this commit separately and then forget it.
 - commits from 1558c3b to 7eb7d5e are the main changes for the subject
   of this ticket.  Among these d805ae6 is probably the most important
   change, and it's basically independent from others.  So I suggest
   reviewing this commit next, and separately.
 - 798e61a is also an independent change, and was needed simply because
   new test data caused an exception in a test for the old version of
   in-memory data source.  We should really deprecate this stuff soon,
   but until then I suggest we live with this workaround.
 - I think the rest of the changes between 1558c3b to 7eb7d5e is
   reasonably understandable.  There are many test cases to cover
   various scenarios, but hopefully the comments help understand them.
 - Finally, 9397bd5 is a totally independent, and unrelated fix.  As
   commented in the commit log, I noticed the current code could cause
   an unexpected assert() failure for a half-broken zone that is
   generally NSEC-signed but has no NSEC at the origin.  We could
   exclude this change from this ticket, but since it could be
   potentially serious and the fix itself is small, I thought it might
   make sense to piggy back the fix.

 The suggested changelog entry is:
 {{{
 503.?   [bug]           jinmei
         The in-memory data source now accepts an RRSIG provided without
         a covered RRset in loading.  A subsequent query for its owner name
         of the covered type would generally result in NXRRSET; if the
         covered RRset is of type NSEC3, the corresponding NSEC3 processing
         would result in SERVFAIL.
         (Trac #2420, git TBD)
 }}}

-- 
Ticket URL: <http://bind10.isc.org/ticket/2420#comment:5>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list