Commit 24c235cb authored by JINMEI Tatuya's avatar JINMEI Tatuya
Browse files

[master] Merge branch 'trac2659'

parents 88b964a4 78b66fd8
......@@ -298,14 +298,18 @@ Query::addNXRRsetProof(ZoneFinder& finder,
addWildcardNXRRSETProof(finder, db_context.rrset);
}
} else if (db_context.isNSEC3Signed() && !db_context.isWildcard()) {
if (*qtype_ == RRType::DS()) {
// RFC 5155, Section 7.2.4. Add either NSEC3 for the qname or
// closest (provable) encloser proof in case of optout.
addClosestEncloserProof(finder, *qname_, true);
} else {
// RFC 5155, Section 7.2.3. Just add NSEC3 for the qname.
addNSEC3ForName(finder, *qname_, true);
}
// Section 7.2.3 and 7.2.4 of RFC 5155 with clarification by errata
// http://www.rfc-editor.org/errata_search.php?rfc=5155&eid=3441
// In the end, these two cases are basically the same: if the qname is
// equal to or derived from insecure delegation covered by an Opt-Out
// NSEC3 RR, include the closest provable encloser proof; otherwise we
// have a matching NSEC3, so we include it.
//
// Note: This implementation does not check in the former case whether
// the NSEC3 for the next closer has Opt-Out bit on; this must be the
// case as long as the zone is correctly signed, and if it's broken
// we'd just return what we are given and have the validator detect it.
addClosestEncloserProof(finder, *qname_, true);
} else if (db_context.isNSEC3Signed() && db_context.isWildcard()) {
// Case for RFC 5155 Section 7.2.5: add closest encloser proof for the
// qname, construct the matched wildcard name and add NSEC3 for it.
......
......@@ -217,6 +217,13 @@ public:
"t644ebqk9bibcna874givr6joj62mlhv";
hash_map_[Name("www1.uwild.example.com")] =
"q04jkcevqvmu85r014c7dkba38o0ji6r"; // a bit larger than H(www)
// For empty-non-terminal derived from insecure delegation (we don't
// need a hash for the delegation point itself for that test). the
// hash for empty name is the same as that for unsigned-delegation
// above, as the case is similar to that.
hash_map_[Name("empty.example.com")] =
"q81r598950igr1eqvc60aedlq66425b5"; // a bit larger than H(www)
}
virtual string calculate(const Name& name) const {
const NSEC3HashMap::const_iterator found = hash_map_.find(name);
......@@ -262,8 +269,6 @@ public:
// to child zones are identified by the existence of non origin NS records.
// Another special name is "dname.example.com". Query names under this name
// will result in DNAME.
// This mock zone doesn't handle empty non terminal nodes (if we need to test
// such cases find() should have specialized code for it).
class MockZoneFinder : public ZoneFinder {
public:
MockZoneFinder() :
......@@ -2468,21 +2473,32 @@ TEST_P(QueryTest, nxrrsetWithNSEC3) {
NULL, mock_finder->getOrigin());
}
// Check the exception is correctly raised when the NSEC3 thing isn't in the
// zone
TEST_F(QueryTestForMockOnly, nxrrsetMissingNSEC3) {
// This is a broken data source scenario; works only with mock.
mock_finder->setNSEC3Flag(true);
// We just need it to return false for "matched". This indicates
// there's no exact match for NSEC3 on www.example.com.
ZoneFinder::FindNSEC3Result nsec3(false, 0, ConstRRsetPtr(),
ConstRRsetPtr());
mock_finder->setNSEC3Result(&nsec3);
TEST_P(QueryTest, nxrrsetDerivedFromOptOutNSEC3) {
// In this test we emulate the situation where an empty non-terminal name
// is derived from insecure delegation and covered by an opt-out NSEC3.
// In the actual test data the covering NSEC3 really has the opt-out
// bit set, although the implementation doesn't check it anyway.
enableNSEC3(rrsets_to_add_);
query.process(*list_, Name("empty.example.com"), RRType::TXT(), response,
true);
EXPECT_THROW(query.process(*list_, Name("www.example.com"),
RRType::TXT(), response, true),
Query::BadNSEC3);
// The closest provable encloser is the origin name (example.com.), and
// the next closer is the empty name itself, which is expected to be
// covered by an opt-out NSEC3 RR. The response should contain these 2
// NSEC3s.
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 6, 0, NULL,
(string(soa_minttl_txt) +
string("example.com. 0 IN RRSIG ") +
getCommonRRSIGText("SOA") + "\n" +
string(nsec3_apex_txt) + "\n" +
nsec3_hash_.calculate(Name("example.com.")) +
".example.com. 3600 IN RRSIG " +
getCommonRRSIGText("NSEC3") + "\n" +
string(nsec3_www_txt) + "\n" +
nsec3_hash_.calculate(Name("www.example.com.")) +
".example.com. 3600 IN RRSIG " +
getCommonRRSIGText("NSEC3") + "\n").c_str(),
NULL, mock_finder->getOrigin());
}
TEST_P(QueryTest, nxrrsetWithNSEC3_ds_exact) {
......
......@@ -234,3 +234,8 @@ bad-delegation.example.com. 3600 IN NS ns.example.net.
;; or NSEC3 that proves it.
;var=nosec_delegation_txt
nosec-delegation.example.com. 3600 IN NS ns.nosec.example.net.
;; Setup for emulating insecure delegation that contain an empty name.
;; the delegation itself isn't expected to be used directly in tests.
;var=
delegation.empty.example.com. 3600 IN NS ns.delegation.empty.example
;; See query_testzone_data.txt for general notes.
;; See example-base-inc.zone for general notes.
;; NSEC3PARAM. This is needed for database-based data source to
;; signal the zone is NSEC3-signed
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment