Commit 77ceb438 authored by zhanghk's avatar zhanghk
Browse files

construct name as next closer+closest encloser, and then invoke findNSEC3 to confirm its non-exist

parent 7be2f0a4
......@@ -169,50 +169,43 @@ Query::addNXDOMAINProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
void
Query::addWildcardProof(ZoneFinder& finder,
const ZoneFinder::FindResult& db_result)
const ZoneFinder::FindResult& db_result)
{
// The query name shouldn't exist in the zone if there were no wildcard
// substitution. Confirm that by specifying NO_WILDCARD. It should result
// in NXDOMAIN and an NSEC RR that proves it should be returned.
if(db_result.isNSECSigned() && db_result.isWildcard()){
const ZoneFinder::FindResult fresult =
finder.find(qname_, RRType::NSEC(),
dnssec_opt_ | ZoneFinder::NO_WILDCARD);
if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
fresult.rrset->getRdataCount() == 0) {
isc_throw(BadNSEC, "Unexpected NSEC result for wildcard proof");
}
response_.addRRset(Message::SECTION_AUTHORITY,
boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
dnssec_);
}else if(db_result.isNSEC3Signed() && db_result.isWildcard()){
// case for RFC5155 Section 7.2.6
const ZoneFinder::FindNSEC3Result NSEC3Result(finder.findNSEC3(qname_,
true));
/*
if (NSEC3Result.code != ZoneFinder::NXDOMAIN || !NSEC3Result.rrset ||
NSEC3Result.rrset->getRdataCount() == 0) {
isc_throw(BadNSEC3, "Unexpected NSEC3 result for wildcard proof");
}
*/
response_.addRRset(Message::SECTION_AUTHORITY,
boost::const_pointer_cast<AbstractRRset>(
NSEC3Result.next_proof), dnssec_);
const Name wname = Name("*").concatenate(
qname_.split(qname_.getLabelCount() - NSEC3Result.closest_labels));
const ZoneFinder::FindNSEC3Result wresult(finder.findNSEC3(wname,
false));
if (wresult.matched) {
response_.addRRset(Message::SECTION_AUTHORITY,
boost::const_pointer_cast<AbstractRRset>(
wresult.closest_proof), dnssec_);
} else {
isc_throw(BadNSEC3, "No matching NSEC3 found for existing domain "
<< wname);
}
}
// The query name shouldn't exist in the zone if there were no wildcard
// substitution. Confirm that by specifying NO_WILDCARD. It should result
// in NXDOMAIN and an NSEC RR that proves it should be returned.
if(db_result.isNSECSigned() && db_result.isWildcard()){
const ZoneFinder::FindResult fresult =
finder.find(qname_, RRType::NSEC(),
dnssec_opt_ | ZoneFinder::NO_WILDCARD);
if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
fresult.rrset->getRdataCount() == 0) {
isc_throw(BadNSEC, "Unexpected NSEC result for wildcard proof");
}
response_.addRRset(Message::SECTION_AUTHORITY,
boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
dnssec_);
}else if(db_result.isNSEC3Signed() && db_result.isWildcard()){
// case for RFC5155 Section 7.2.6
const ZoneFinder::FindNSEC3Result NSEC3Result(finder.findNSEC3(qname_,
true));
if (NULL == NSEC3Result.next_proof){
isc_throw(BadNSEC3, "Unexpected NSEC3 result for wildcard proof");
}
response_.addRRset(Message::SECTION_AUTHORITY,
boost::const_pointer_cast<AbstractRRset>(
NSEC3Result.next_proof), dnssec_);
const Name wname =
qname_.split(qname_.getLabelCount() - NSEC3Result.closest_labels - 1);
const ZoneFinder::FindNSEC3Result wresult(finder.findNSEC3(wname,
false));
if (wresult.matched) {
isc_throw(BadNSEC3, "Unexpected NSEC3 found for existing domain "
<< wname);
}
}
}
void
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment