Skip to content

GitLab

Commit a4abbe54 authored by JINMEI Tatuya's avatar JINMEI Tatuya
Browse files

[1584review] Merge branch 'trac1584' into trac1584review

parents af00b019 c9b1b85a
Hide whitespace changes
Inline Side-by-side
src/bin/auth/query.cc
View file @ a4abbe54
......@@ -168,20 +168,46 @@ Query::addNXDOMAINProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
}
void
Query::addWildcardProof(ZoneFinder& finder) {
// The query name shouldn't exist in the zone if there were no wildcard
// substitution. Confirm that by specifying NO_WILDCARD. It should result
// in NXDOMAIN and an NSEC RR that proves it should be returned.
const ZoneFinder::FindResult fresult =
finder.find(qname_, RRType::NSEC(),
dnssec_opt_ | ZoneFinder::NO_WILDCARD);
if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
fresult.rrset->getRdataCount() == 0) {
isc_throw(BadNSEC, "Unexpected result for wildcard proof");
}
response_.addRRset(Message::SECTION_AUTHORITY,
boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
dnssec_);
Query::addWildcardProof(ZoneFinder& finder,
const ZoneFinder::FindResult& db_result)
{
// The query name shouldn't exist in the zone if there were no wildcard
// substitution. Confirm that by specifying NO_WILDCARD. It should result
// in NXDOMAIN and an NSEC RR that proves it should be returned.
if (db_result.isNSECSigned() && db_result.isWildcard()){
const ZoneFinder::FindResult fresult =
finder.find(qname_, RRType::NSEC(),
dnssec_opt_ | ZoneFinder::NO_WILDCARD);
if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
fresult.rrset->getRdataCount() == 0) {
isc_throw(BadNSEC,
"Unexpected NSEC result for wildcard proof");
}
response_.addRRset(Message::SECTION_AUTHORITY,
boost::const_pointer_cast<AbstractRRset>(
fresult.rrset),
dnssec_);
} else if (db_result.isNSEC3Signed() && db_result.isWildcard()) {
// case for RFC5155 Section 7.2.6
const ZoneFinder::FindNSEC3Result NSEC3Result(
finder.findNSEC3(qname_, true));
if (NULL == NSEC3Result.next_proof) {
isc_throw(BadNSEC3, "Unexpected NSEC3 "
"result for wildcard proof");
}
response_.addRRset(Message::SECTION_AUTHORITY,
boost::const_pointer_cast<AbstractRRset>(
NSEC3Result.next_proof), dnssec_);
const Name wname =
qname_.split(qname_.getLabelCount() -
NSEC3Result.closest_labels - 1);
const ZoneFinder::FindNSEC3Result wresult(
finder.findNSEC3(wname, false));
if (wresult.matched) {
isc_throw(BadNSEC3, "Unexpected NSEC3 "
"found for existing domain " << wname);
}
}
}
void
......@@ -448,7 +474,7 @@ Query::process() {
// If the answer is a result of wildcard substitution,
// add a proof that there's no closer name.
if (dnssec_ && db_result.isWildcard()) {
addWildcardProof(*result.zone_finder);
addWildcardProof(*result.zone_finder,db_result);
}
break;
case ZoneFinder::SUCCESS:
......@@ -482,7 +508,7 @@ Query::process() {
// If the answer is a result of wildcard substitution,
// add a proof that there's no closer name.
if (dnssec_ && db_result.isWildcard()) {
addWildcardProof(*result.zone_finder);
addWildcardProof(*result.zone_finder,db_result);
}
break;
case ZoneFinder::DELEGATION:
......
src/bin/auth/query.h
View file @ a4abbe54
......@@ -107,7 +107,9 @@ private:
/// Add NSEC RRs that prove a wildcard answer is the best one.
///
/// This corresponds to Section 3.1.3.3 of RFC 4035.
void addWildcardProof(isc::datasrc::ZoneFinder& finder);
void addWildcardProof(
isc::datasrc::ZoneFinder& finder,
const isc::datasrc::ZoneFinder::FindResult& dbResult);
/// \brief Adds one NSEC RR proved no matched QNAME,one NSEC RR proved no
/// matched <QNAME,QTYPE> through wildcard extension.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment