query.cc 21.8 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
// Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
// PERFORMANCE OF THIS SOFTWARE.

15
#include <algorithm>            // for std::max
Michal Vaner's avatar
Michal Vaner committed
16
17
#include <vector>
#include <boost/foreach.hpp>
18
19
#include <boost/bind.hpp>
#include <boost/function.hpp>
Michal Vaner's avatar
Michal Vaner committed
20

21
22
#include <dns/message.h>
#include <dns/rcode.h>
23
#include <dns/rdataclass.h>
24

25
#include <datasrc/client.h>
26
27
28
29
30

#include <auth/query.h>

using namespace isc::dns;
using namespace isc::datasrc;
31
using namespace isc::dns::rdata;
32
33
34

namespace isc {
namespace auth {
35

36
void
37
Query::addAdditional(ZoneFinder& zone, const AbstractRRset& rrset) {
chenzhengzhang's avatar
chenzhengzhang committed
38
39
40
41
42
43
    RdataIteratorPtr rdata_iterator(rrset.getRdataIterator());
    for (; !rdata_iterator->isLast(); rdata_iterator->next()) {
        const Rdata& rdata(rdata_iterator->getCurrent());
        if (rrset.getType() == RRType::NS()) {
            // Need to perform the search in the "GLUE OK" mode.
            const generic::NS& ns = dynamic_cast<const generic::NS&>(rdata);
44
            addAdditionalAddrs(zone, ns.getNSName(), ZoneFinder::FIND_GLUE_OK);
chenzhengzhang's avatar
chenzhengzhang committed
45
46
        } else if (rrset.getType() == RRType::MX()) {
            const generic::MX& mx(dynamic_cast<const generic::MX&>(rdata));
47
            addAdditionalAddrs(zone, mx.getMXName());
48
        }
49
50
51
52
    }
}

void
53
54
Query::addAdditionalAddrs(ZoneFinder& zone, const Name& qname,
                          const ZoneFinder::FindOptions options)
55
{
56
57
58
59
60
61
    // Out of zone name
    NameComparisonResult result = zone.getOrigin().compare(qname);
    if ((result.getRelation() != NameComparisonResult::SUPERDOMAIN) &&
        (result.getRelation() != NameComparisonResult::EQUAL))
        return;

62
63
64
65
66
67
68
69
    // Omit additional data which has already been provided in the answer
    // section from the additional.
    //
    // All the address rrset with the owner name of qname have been inserted
    // into ANSWER section.
    if (qname_ == qname && qtype_ == RRType::ANY())
        return;

70
    // Find A rrset
71
    if (qname_ != qname || qtype_ != RRType::A()) {
72
73
        ZoneFinder::FindResult a_result = zone.find(qname, RRType::A(),
                                                    options | dnssec_opt_);
74
        if (a_result.code == ZoneFinder::SUCCESS) {
75
            response_.addRRset(Message::SECTION_ADDITIONAL,
76
                    boost::const_pointer_cast<AbstractRRset>(a_result.rrset), dnssec_);
77
        }
78
    }
79

80
    // Find AAAA rrset
81
    if (qname_ != qname || qtype_ != RRType::AAAA()) {
82
83
        ZoneFinder::FindResult aaaa_result = zone.find(qname, RRType::AAAA(),
                                                       options | dnssec_opt_);
84
        if (aaaa_result.code == ZoneFinder::SUCCESS) {
85
            response_.addRRset(Message::SECTION_ADDITIONAL,
86
                    boost::const_pointer_cast<AbstractRRset>(aaaa_result.rrset),
87
                    dnssec_);
88
        }
89
90
91
    }
}

Michal Vaner's avatar
Michal Vaner committed
92
void
93
Query::addSOA(ZoneFinder& finder) {
94
95
96
    ZoneFinder::FindResult soa_result = finder.find(finder.getOrigin(),
                                                    RRType::SOA(),
                                                    dnssec_opt_);
97
    if (soa_result.code != ZoneFinder::SUCCESS) {
Michal Vaner's avatar
Michal Vaner committed
98
        isc_throw(NoSOA, "There's no SOA record in zone " <<
99
            finder.getOrigin().toText());
Michal Vaner's avatar
Michal Vaner committed
100
101
102
103
104
105
106
    } else {
        /*
         * FIXME:
         * The const-cast is wrong, but the Message interface seems
         * to insist.
         */
        response_.addRRset(Message::SECTION_AUTHORITY,
107
            boost::const_pointer_cast<AbstractRRset>(soa_result.rrset), dnssec_);
Michal Vaner's avatar
Michal Vaner committed
108
109
110
    }
}

111
112
113
114
115
116
117
118
// Note: unless the data source client implementation or the zone content
// is broken, 'nsec' should be a valid NSEC RR.  Likewise, the call to
// find() in this method should result in NXDOMAIN and an NSEC RR that proves
// the non existent of matching wildcard.  If these assumptions aren't met
// due to a buggy data source implementation or a broken zone, we'll let
// underlying libdns++ modules throw an exception, which would result in
// either an SERVFAIL response or just ignoring the query.  We at least prevent
// a complete crash due to such broken behavior.
119
void
120
Query::addNXDOMAINProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
121
122
123
    if (nsec->getRdataCount() == 0) {
        isc_throw(BadNSEC, "NSEC for NXDOMAIN is empty");
    }
124

125
    // Add the NSEC proving NXDOMAIN to the authority section.
126
    response_.addRRset(Message::SECTION_AUTHORITY,
127
                       boost::const_pointer_cast<AbstractRRset>(nsec), dnssec_);
128

129
130
131
132
133
134
135
136
137
    // Next, identify the best possible wildcard name that would match
    // the query name.  It's the longer common suffix with the qname
    // between the owner or the next domain of the NSEC that proves NXDOMAIN,
    // prefixed by the wildcard label, "*".  For example, for query name
    // a.b.example.com, if the NXDOMAIN NSEC is
    // b.example.com. NSEC c.example.com., the longer suffix is b.example.com.,
    // and the best possible wildcard is *.b.example.com.  If the NXDOMAIN
    // NSEC is a.example.com. NSEC c.b.example.com., the longer suffix
    // is the next domain of the NSEC, and we get the same wildcard name.
138
139
140
    const int qlabels = qname_.getLabelCount();
    const int olabels = qname_.compare(nsec->getName()).getCommonLabels();
    const int nlabels = qname_.compare(
141
142
        dynamic_cast<const generic::NSEC&>(nsec->getRdataIterator()->
                                           getCurrent()).
143
144
145
146
        getNextName()).getCommonLabels();
    const int common_labels = std::max(olabels, nlabels);
    const Name wildname(Name("*").concatenate(qname_.split(qlabels -
                                                           common_labels)));
147
148
149
150

    // Confirm the wildcard doesn't exist (this should result in NXDOMAIN;
    // otherwise we shouldn't have got NXDOMAIN for the original query in
    // the first place).
151
    const ZoneFinder::FindResult fresult =
152
        finder.find(wildname, RRType::NSEC(), dnssec_opt_);
153
154
155
156
    if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
        fresult.rrset->getRdataCount() == 0) {
        isc_throw(BadNSEC, "Unexpected result for wildcard NXDOMAIN proof");
    }
157
158
159
160
161
162
163
164

    // Add the (no-) wildcard proof only when it's different from the NSEC
    // that proves NXDOMAIN; sometimes they can be the same.
    // Note: name comparison is relatively expensive.  When we are at the
    // stage of performance optimization, we should consider optimizing this
    // for some optimized data source implementations.
    if (nsec->getName() != fresult.rrset->getName()) {
        response_.addRRset(Message::SECTION_AUTHORITY,
165
                           boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
166
167
168
169
                           dnssec_);
    }
}

170
void
171
Query::addWildcardProof(ZoneFinder& finder,
172
                        const ZoneFinder::FindResult& db_result)
173
{
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
	// The query name shouldn't exist in the zone if there were no wildcard
	// substitution.  Confirm that by specifying NO_WILDCARD.  It should result
	// in NXDOMAIN and an NSEC RR that proves it should be returned.
	if(db_result.isNSECSigned() && db_result.isWildcard()){
		const ZoneFinder::FindResult fresult =
			finder.find(qname_, RRType::NSEC(),
					dnssec_opt_ | ZoneFinder::NO_WILDCARD);
		if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
				fresult.rrset->getRdataCount() == 0) {
			isc_throw(BadNSEC, "Unexpected NSEC result for wildcard proof");
		}
		response_.addRRset(Message::SECTION_AUTHORITY,
				boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
				dnssec_);
	}else if(db_result.isNSEC3Signed() && db_result.isWildcard()){
		// case for RFC5155 Section 7.2.6
		const ZoneFinder::FindNSEC3Result NSEC3Result(finder.findNSEC3(qname_,
					true));
		if (NULL == NSEC3Result.next_proof){ 
			isc_throw(BadNSEC3, "Unexpected NSEC3 result for wildcard proof");
		}
		response_.addRRset(Message::SECTION_AUTHORITY,
				boost::const_pointer_cast<AbstractRRset>(
					NSEC3Result.next_proof), dnssec_);
198
		const Name wname =
199
200
201
202
203
204
205
206
207
208
			qname_.split(qname_.getLabelCount() - NSEC3Result.closest_labels - 1);
		const ZoneFinder::FindNSEC3Result wresult(finder.findNSEC3(wname,
					false));
		if (wresult.matched) {
			isc_throw(BadNSEC3, "Unexpected NSEC3 found for existing domain "
					<< wname);
		}

	}

209
210
}

211
void
212
Query::addWildcardNXRRSETProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
213
    // There should be one NSEC RR which was found in the zone to prove
214
    // that there is not matched <QNAME,QTYPE> via wildcard expansion.
215
    if (nsec->getRdataCount() == 0) {
216
217
218
219
        isc_throw(BadNSEC, "NSEC for WILDCARD_NXRRSET is empty");
    }
    
    const ZoneFinder::FindResult fresult =
220
221
        finder.find(qname_, RRType::NSEC(),
                    dnssec_opt_ | ZoneFinder::NO_WILDCARD);
222
223
224
225
226
    if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
        fresult.rrset->getRdataCount() == 0) {
        isc_throw(BadNSEC, "Unexpected result for no match QNAME proof");
    }
   
227
    if (nsec->getName() != fresult.rrset->getName()) {
228
        // one NSEC RR proves wildcard_nxrrset that no matched QNAME.
229
        response_.addRRset(Message::SECTION_AUTHORITY,
230
                           boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
231
                           dnssec_);
232
    }
233
}
234
235

void
236
Query::addDS(ZoneFinder& finder, const Name& dname) {
237
    ZoneFinder::FindResult ds_result =
238
        finder.find(dname, RRType::DS(), dnssec_opt_);
239
240
    if (ds_result.code == ZoneFinder::SUCCESS) {
        response_.addRRset(Message::SECTION_AUTHORITY,
241
                           boost::const_pointer_cast<AbstractRRset>(ds_result.rrset),
242
                           dnssec_);
243
    } else if (ds_result.code == ZoneFinder::NXRRSET) {
244
        addNXRRsetProof(finder, ds_result);
245
246
247
    } else {
        // Any other case should be an error
        isc_throw(BadDS, "Unexpected result for DS lookup for delegation");
248
249
    }
}
250
251

void
252
253
Query::addNXRRsetProof(ZoneFinder& finder,
                       const ZoneFinder::FindResult& db_result)
254
{
255
256
    if (db_result.isNSECSigned() && db_result.rrset) {
        response_.addRRset(Message::SECTION_AUTHORITY,
257
                           boost::const_pointer_cast<AbstractRRset>(
258
259
260
261
262
                               db_result.rrset),
                           dnssec_);
        if (db_result.isWildcard()) {
            addWildcardNXRRSETProof(finder, db_result.rrset);
        }
263
264
265
266
267
268
269
270
271
272
273
    } else if (db_result.isNSEC3Signed()) {
        ZoneFinder::FindNSEC3Result result(finder.findNSEC3(qname_, false));
        if (result.matched) {
            response_.addRRset(Message::SECTION_AUTHORITY,
                               boost::const_pointer_cast<AbstractRRset>(
                                   result.closest_proof), dnssec_);

        } else {
            isc_throw(BadNSEC3, "No NSEC3 found for existing domain " <<
                      qname_.toText());
        }
274
275
276
    }
}

277
void
278
Query::addAuthAdditional(ZoneFinder& finder) {
279
    // Fill in authority and addtional sections.
280
    ZoneFinder::FindResult ns_result =
281
282
        finder.find(finder.getOrigin(), RRType::NS(), dnssec_opt_);

283
    // zone origin name should have NS records
284
    if (ns_result.code != ZoneFinder::SUCCESS) {
Jerry's avatar
Jerry committed
285
        isc_throw(NoApexNS, "There's no apex NS records in zone " <<
286
                finder.getOrigin().toText());
Jerry's avatar
Jerry committed
287
288
    } else {
        response_.addRRset(Message::SECTION_AUTHORITY,
289
            boost::const_pointer_cast<AbstractRRset>(ns_result.rrset), dnssec_);
290
        // Handle additional for authority section
291
        addAdditional(finder, *ns_result.rrset);
Jerry's avatar
Jerry committed
292
    }
293
294
}

295
296
297
namespace {
// A simple wrapper for DataSourceClient::findZone().  Normally we can simply
// check the closest zone to the qname, but for type DS query we need to
298
299
300
301
// look into the parent zone.  Nevertheless, if there is no "parent" (i.e.,
// the qname consists of a single label, which also means it's the root name),
// we should search the deepest zone we have (which should be the root zone;
// otherwise it's a query error).
302
303
DataSourceClient::FindResult
findZone(const DataSourceClient& client, const Name& qname, RRType qtype) {
304
    if (qtype != RRType::DS() || qname.getLabelCount() == 1) {
305
306
307
308
309
310
        return (client.findZone(qname));
    }
    return (client.findZone(qname.split(1)));
}
}

311
void
312
Query::process() {
313
314
315
    // Found a zone which is the nearest ancestor to QNAME
    const DataSourceClient::FindResult result = findZone(datasrc_client_,
                                                         qname_, qtype_);
316

317
318
319
320
321
    // If we have no matching authoritative zone for the query name, return
    // REFUSED.  In short, this is to be compatible with BIND 9, but the
    // background discussion is not that simple.  See the relevant topic
    // at the BIND 10 developers's ML:
    // https://lists.isc.org/mailman/htdig/bind10-dev/2010-December/001633.html
322
323
    if (result.code != result::SUCCESS &&
        result.code != result::PARTIALMATCH) {
324
325
326
327
328
        // If we tried to find a "parent zone" for a DS query and failed,
        // we may still have authority at the child side.  If we do, the query
        // has to be handled there.
        if (qtype_ == RRType::DS() && qname_.getLabelCount() > 1 &&
            processDSAtChild()) {
329
330
            return;
        }
331
        response_.setHeaderFlag(Message::HEADERFLAG_AA, false);
332
        response_.setRcode(Rcode::REFUSED());
333
334
        return;
    }
335
    ZoneFinder& zfinder = *result.zone_finder;
336

337
338
    // We have authority for a zone that contain the query name (possibly
    // indirectly via delegation).  Look into the zone.
Jerry's avatar
Jerry committed
339
    response_.setHeaderFlag(Message::HEADERFLAG_AA);
340
    response_.setRcode(Rcode::NOERROR());
341
342
    std::vector<ConstRRsetPtr> target;
    boost::function0<ZoneFinder::FindResult> find;
343
    const bool qtype_is_any = (qtype_ == RRType::ANY());
344
345
346
347
348
349
350
    if (qtype_is_any) {
        find = boost::bind(&ZoneFinder::findAll, &zfinder, qname_,
                           boost::ref(target), dnssec_opt_);
    } else {
        find = boost::bind(&ZoneFinder::find, &zfinder, qname_, qtype_,
                           dnssec_opt_);
    }
351
    ZoneFinder::FindResult db_result(find());
352
353
354
355
    switch (db_result.code) {
        case ZoneFinder::DNAME: {
            // First, put the dname into the answer
            response_.addRRset(Message::SECTION_ANSWER,
356
                boost::const_pointer_cast<AbstractRRset>(db_result.rrset),
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
                dnssec_);
            /*
             * Empty DNAME should never get in, as it is impossible to
             * create one in master file.
             *
             * FIXME: Other way to prevent this should be done
             */
            assert(db_result.rrset->getRdataCount() > 0);
            // Get the data of DNAME
            const rdata::generic::DNAME& dname(
                dynamic_cast<const rdata::generic::DNAME&>(
                db_result.rrset->getRdataIterator()->getCurrent()));
            // The yet unmatched prefix dname
            const Name prefix(qname_.split(0, qname_.getLabelCount() -
                db_result.rrset->getName().getLabelCount()));
            // If we put it together, will it be too long?
            // (The prefix contains trailing ., which will be removed
            if (prefix.getLength() - Name::ROOT_NAME().getLength() +
                dname.getDname().getLength() > Name::MAX_WIRE) {
376
                /*
377
378
                 * In case the synthesized name is too long, section 4.1
                 * of RFC 2672 mandates we return YXDOMAIN.
379
                 */
380
381
                response_.setRcode(Rcode::YXDOMAIN());
                return;
382
            }
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
            // The new CNAME we are creating (it will be unsigned even
            // with DNSSEC, the DNAME is signed and it can be validated
            // by that)
            RRsetPtr cname(new RRset(qname_, db_result.rrset->getClass(),
                RRType::CNAME(), db_result.rrset->getTTL()));
            // Construct the new target by replacing the end
            cname->addRdata(rdata::generic::CNAME(qname_.split(0,
                qname_.getLabelCount() -
                db_result.rrset->getName().getLabelCount()).
                concatenate(dname.getDname())));
            response_.addRRset(Message::SECTION_ANSWER, cname, dnssec_);
            break;
        }
        case ZoneFinder::CNAME:
            /*
             * We don't do chaining yet. Therefore handling a CNAME is
             * mostly the same as handling SUCCESS, but we didn't get
             * what we expected. It means no exceptions in ANY or NS
             * on the origin (though CNAME in origin is probably
             * forbidden anyway).
             *
             * So, just put it there.
             */
            response_.addRRset(Message::SECTION_ANSWER,
407
                boost::const_pointer_cast<AbstractRRset>(db_result.rrset),
408
                dnssec_);
409

410
411
            // If the answer is a result of wildcard substitution,
            // add a proof that there's no closer name.
412
            if (dnssec_ && db_result.isWildcard()) {
413
                addWildcardProof(*result.zone_finder,db_result);
414
415
416
417
418
419
420
            }
            break;
        case ZoneFinder::SUCCESS:
            if (qtype_is_any) {
                // If quety type is ANY, insert all RRs under the domain
                // into answer section.
                BOOST_FOREACH(ConstRRsetPtr rrset, target) {
chenzhengzhang's avatar
chenzhengzhang committed
421
                    response_.addRRset(Message::SECTION_ANSWER,
422
                        boost::const_pointer_cast<AbstractRRset>(rrset), dnssec_);
chenzhengzhang's avatar
chenzhengzhang committed
423
                    // Handle additional for answer section
424
                    addAdditional(*result.zone_finder, *rrset.get());
425
                }
426
427
            } else {
                response_.addRRset(Message::SECTION_ANSWER,
428
                    boost::const_pointer_cast<AbstractRRset>(db_result.rrset),
429
                    dnssec_);
430
                // Handle additional for answer section
431
                addAdditional(*result.zone_finder, *db_result.rrset);
432
433
434
435
436
437
438
439
440
441
442
443
444
445
            }
            // If apex NS records haven't been provided in the answer
            // section, insert apex NS records into the authority section
            // and AAAA/A RRS of each of the NS RDATA into the additional
            // section.
            if (qname_ != result.zone_finder->getOrigin() ||
                db_result.code != ZoneFinder::SUCCESS ||
                (qtype_ != RRType::NS() && !qtype_is_any))
            {
                addAuthAdditional(*result.zone_finder);
            }

            // If the answer is a result of wildcard substitution,
            // add a proof that there's no closer name.
446
            if (dnssec_ && db_result.isWildcard()) {
447
                addWildcardProof(*result.zone_finder,db_result);
448
449
450
            }
            break;
        case ZoneFinder::DELEGATION:
451
452
453
454
455
456
457
458
            // If a DS query resulted in delegation, we also need to check
            // if we are an authority of the child, too.  If so, we need to
            // complete the process in the child as specified in Section
            // 2.2.1.2. of RFC3658.
            if (qtype_ == RRType::DS() && processDSAtChild()) {
                return;
            }

459
460
            response_.setHeaderFlag(Message::HEADERFLAG_AA, false);
            response_.addRRset(Message::SECTION_AUTHORITY,
461
                boost::const_pointer_cast<AbstractRRset>(db_result.rrset),
462
                dnssec_);
463
464
465
466
467
            // If DNSSEC is requested, see whether there is a DS
            // record for this delegation.
            if (dnssec_) {
                addDS(*result.zone_finder, db_result.rrset->getName());
            }
468
469
470
471
472
473
474
475
476
477
478
            addAdditional(*result.zone_finder, *db_result.rrset);
            break;
        case ZoneFinder::NXDOMAIN:
            response_.setRcode(Rcode::NXDOMAIN());
            addSOA(*result.zone_finder);
            if (dnssec_ && db_result.rrset) {
                addNXDOMAINProof(zfinder, db_result.rrset);
            }
            break;
        case ZoneFinder::NXRRSET:
            addSOA(*result.zone_finder);
479
            if (dnssec_) {
480
                addNXRRsetProof(zfinder, db_result);
481
482
483
484
485
486
487
488
            }
            break;
        default:
            // This is basically a bug of the data source implementation,
            // but could also happen in the middle of development where
            // we try to add a new result code.
            isc_throw(isc::NotImplemented, "Unknown result code");
            break;
489
    }
490
}
Michal Vaner's avatar
Michal Vaner committed
491

492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
bool
Query::processDSAtChild() {
    const DataSourceClient::FindResult zresult =
        datasrc_client_.findZone(qname_);

    if (zresult.code != result::SUCCESS) {
        return (false);
    }

    // We are receiving a DS query at the child side of the owner name,
    // where the DS isn't supposed to belong.  We should return a "no data"
    // response as described in Section 3.1.4.1 of RFC4035 and Section
    // 2.2.1.1 of RFC 3658.  find(DS) should result in NXRRSET, in which
    // case (and if DNSSEC is required) we also add the proof for that,
    // but even if find() returns an unexpected result, we don't bother.
    // The important point in this case is to return SOA so that the resolver
    // that happens to contact us can hunt for the appropriate parent zone
    // by seeing the SOA.
    response_.setHeaderFlag(Message::HEADERFLAG_AA);
    response_.setRcode(Rcode::NOERROR());
    addSOA(*zresult.zone_finder);
    const ZoneFinder::FindResult ds_result =
        zresult.zone_finder->find(qname_, RRType::DS(), dnssec_opt_);
    if (ds_result.code == ZoneFinder::NXRRSET) {
        if (dnssec_) {
            addNXRRsetProof(*zresult.zone_finder, ds_result);
        }
    }

    return (true);
}

524
525
}
}