Commit 24c235cb authored by JINMEI Tatuya's avatar JINMEI Tatuya
Browse files

[master] Merge branch 'trac2659'

parents 88b964a4 78b66fd8
......@@ -298,14 +298,18 @@ Query::addNXRRsetProof(ZoneFinder& finder,
addWildcardNXRRSETProof(finder, db_context.rrset);
} else if (db_context.isNSEC3Signed() && !db_context.isWildcard()) {
if (*qtype_ == RRType::DS()) {
// RFC 5155, Section 7.2.4. Add either NSEC3 for the qname or
// closest (provable) encloser proof in case of optout.
addClosestEncloserProof(finder, *qname_, true);
} else {
// RFC 5155, Section 7.2.3. Just add NSEC3 for the qname.
addNSEC3ForName(finder, *qname_, true);
// Section 7.2.3 and 7.2.4 of RFC 5155 with clarification by errata
// In the end, these two cases are basically the same: if the qname is
// equal to or derived from insecure delegation covered by an Opt-Out
// NSEC3 RR, include the closest provable encloser proof; otherwise we
// have a matching NSEC3, so we include it.
// Note: This implementation does not check in the former case whether
// the NSEC3 for the next closer has Opt-Out bit on; this must be the
// case as long as the zone is correctly signed, and if it's broken
// we'd just return what we are given and have the validator detect it.
addClosestEncloserProof(finder, *qname_, true);
} else if (db_context.isNSEC3Signed() && db_context.isWildcard()) {
// Case for RFC 5155 Section 7.2.5: add closest encloser proof for the
// qname, construct the matched wildcard name and add NSEC3 for it.
......@@ -217,6 +217,13 @@ public:
hash_map_[Name("")] =
"q04jkcevqvmu85r014c7dkba38o0ji6r"; // a bit larger than H(www)
// For empty-non-terminal derived from insecure delegation (we don't
// need a hash for the delegation point itself for that test). the
// hash for empty name is the same as that for unsigned-delegation
// above, as the case is similar to that.
hash_map_[Name("")] =
"q81r598950igr1eqvc60aedlq66425b5"; // a bit larger than H(www)
virtual string calculate(const Name& name) const {
const NSEC3HashMap::const_iterator found = hash_map_.find(name);
......@@ -262,8 +269,6 @@ public:
// to child zones are identified by the existence of non origin NS records.
// Another special name is "". Query names under this name
// will result in DNAME.
// This mock zone doesn't handle empty non terminal nodes (if we need to test
// such cases find() should have specialized code for it).
class MockZoneFinder : public ZoneFinder {
MockZoneFinder() :
......@@ -2468,21 +2473,32 @@ TEST_P(QueryTest, nxrrsetWithNSEC3) {
NULL, mock_finder->getOrigin());
// Check the exception is correctly raised when the NSEC3 thing isn't in the
// zone
TEST_F(QueryTestForMockOnly, nxrrsetMissingNSEC3) {
// This is a broken data source scenario; works only with mock.
// We just need it to return false for "matched". This indicates
// there's no exact match for NSEC3 on
ZoneFinder::FindNSEC3Result nsec3(false, 0, ConstRRsetPtr(),
TEST_P(QueryTest, nxrrsetDerivedFromOptOutNSEC3) {
// In this test we emulate the situation where an empty non-terminal name
// is derived from insecure delegation and covered by an opt-out NSEC3.
// In the actual test data the covering NSEC3 really has the opt-out
// bit set, although the implementation doesn't check it anyway.
query.process(*list_, Name(""), RRType::TXT(), response,
EXPECT_THROW(query.process(*list_, Name(""),
RRType::TXT(), response, true),
// The closest provable encloser is the origin name (, and
// the next closer is the empty name itself, which is expected to be
// covered by an opt-out NSEC3 RR. The response should contain these 2
// NSEC3s.
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 6, 0, NULL,
(string(soa_minttl_txt) +
string(" 0 IN RRSIG ") +
getCommonRRSIGText("SOA") + "\n" +
string(nsec3_apex_txt) + "\n" +
nsec3_hash_.calculate(Name("")) +
" 3600 IN RRSIG " +
getCommonRRSIGText("NSEC3") + "\n" +
string(nsec3_www_txt) + "\n" +
nsec3_hash_.calculate(Name("")) +
" 3600 IN RRSIG " +
getCommonRRSIGText("NSEC3") + "\n").c_str(),
NULL, mock_finder->getOrigin());
TEST_P(QueryTest, nxrrsetWithNSEC3_ds_exact) {
......@@ -234,3 +234,8 @@ 3600 IN NS
;; or NSEC3 that proves it.
;var=nosec_delegation_txt 3600 IN NS
;; Setup for emulating insecure delegation that contain an empty name.
;; the delegation itself isn't expected to be used directly in tests.
;var= 3600 IN NS ns.delegation.empty.example
;; See query_testzone_data.txt for general notes.
;; See for general notes.
;; NSEC3PARAM. This is needed for database-based data source to
;; signal the zone is NSEC3-signed
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment