Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
Kea
Commits
95f2ccbb
Commit
95f2ccbb
authored
Jan 30, 2012
by
JINMEI Tatuya
Browse files
[1574b] checked some NSEC3 parameter consistency
parent
7af06f97
Changes
2
Hide whitespace changes
Inline
Side-by-side
src/lib/datasrc/memory_datasrc.cc
View file @
95f2ccbb
...
...
@@ -25,6 +25,7 @@
#include
<exceptions/exceptions.h>
#include
<dns/name.h>
#include
<dns/nsec3hash.h>
#include
<dns/rdataclass.h>
#include
<dns/rrclass.h>
#include
<dns/rrsetlist.h>
...
...
@@ -86,8 +87,14 @@ struct ZoneData {
// The optional NSEC3 related data
struct
NSEC3Data
{
NSEC3Map
map_
;
// Actual NSEC3 RRs
// We should also have hash parameters here (maybe hold NSEC3Hash?)
NSEC3Data
(
const
generic
::
NSEC3PARAM
&
nsec3param
)
:
hash_
(
NSEC3Hash
::
create
(
nsec3param
))
{}
NSEC3Data
(
const
generic
::
NSEC3
&
nsec3
)
:
hash_
(
NSEC3Hash
::
create
(
nsec3
))
{}
NSEC3Map
map_
;
// Actual NSEC3 RRs
const
scoped_ptr
<
NSEC3Hash
>
hash_
;
// hash parameter/calculator
};
scoped_ptr
<
NSEC3Data
>
nsec3_data_
;
// non NULL only when it's NSEC3 signed
};
...
...
@@ -370,9 +377,22 @@ struct InMemoryZoneFinder::InMemoryZoneFinderImpl {
}
result
::
Result
addNSEC3
(
const
ConstRRsetPtr
rrset
,
ZoneData
&
zone_data
)
{
// We know rrset has exactly one RDATA
const
generic
::
NSEC3
&
nsec3_rdata
=
dynamic_cast
<
const
generic
::
NSEC3
&>
(
rrset
->
getRdataIterator
()
->
getCurrent
());
// If we've not done any NSEC3 setup for the zone, do it know;
// otherwise check parameter consistency.
if
(
!
zone_data
.
nsec3_data_
)
{
zone_data
.
nsec3_data_
.
reset
(
new
ZoneData
::
NSEC3Data
);
zone_data
.
nsec3_data_
.
reset
(
new
ZoneData
::
NSEC3Data
(
nsec3_rdata
));
}
else
{
if
(
!
zone_data
.
nsec3_data_
->
hash_
->
match
(
nsec3_rdata
))
{
isc_throw
(
AddError
,
"NSEC3 with inconsistent parameters: "
<<
rrset
->
toText
());
}
}
string
fst_label
=
rrset
->
getName
().
split
(
0
,
1
).
toText
(
true
);
transform
(
fst_label
.
begin
(),
fst_label
.
end
(),
fst_label
.
begin
(),
ToUpper
());
...
...
@@ -457,6 +477,17 @@ struct InMemoryZoneFinder::InMemoryZoneFinderImpl {
node
->
setFlag
(
DomainNode
::
FLAG_CALLBACK
);
}
// If we've added NSEC3PARAM and the zone isn't yet NSEC3-ready
// set it up (note: this part doesn't ensure strong exception
// guarantee)
if
(
rrset
->
getType
()
==
RRType
::
NSEC3PARAM
()
&&
!
zone_data
.
nsec3_data_
)
{
zone_data
.
nsec3_data_
.
reset
(
new
ZoneData
::
NSEC3Data
(
dynamic_cast
<
const
generic
::
NSEC3PARAM
&>
(
rrset
->
getRdataIterator
()
->
getCurrent
())));
}
return
(
result
::
SUCCESS
);
}
else
{
// The RRSet of given type was already there
...
...
src/lib/datasrc/tests/memory_datasrc_unittest.cc
View file @
95f2ccbb
...
...
@@ -1478,6 +1478,34 @@ TEST_F(InMemoryZoneFinderTest, badRRsigForNSEC3) {
InMemoryZoneFinder
::
AddError
);
}
TEST_F
(
InMemoryZoneFinderTest
,
paramConsistencyWithNSEC3PARAM
)
{
// First, add an NSEC3PARAM RR
EXPECT_EQ
(
result
::
SUCCESS
,
zone_finder_
.
add
(
textToRRset
(
"example.org. 300 IN NSEC3PARAM "
"1 0 12 aabbccdd"
)));
// Adding an NSEC3 that has matching parameters is okay.
EXPECT_EQ
(
result
::
SUCCESS
,
zone_finder_
.
add
(
textToRRset
(
string
(
apex_hash
)
+
".example.org."
+
string
(
nsec3_common
))));
// NSEC3 with inconsistent parameter will be rejected
EXPECT_THROW
(
zone_finder_
.
add
(
textToRRset
(
"a.example.org. 300 IN NSEC3 1 0 1 aabbccdd "
"2T7B4G4VSA5SMI47K61MV5BV1A22BOJR A RRSIG"
)),
InMemoryZoneFinder
::
AddError
);
}
TEST_F
(
InMemoryZoneFinderTest
,
paramConsistencyWithNSEC3
)
{
// Add an NSEC3 without adding NSEC3PARAM
EXPECT_EQ
(
result
::
SUCCESS
,
zone_finder_
.
add
(
textToRRset
(
string
(
apex_hash
)
+
".example.org."
+
string
(
nsec3_common
))));
// Adding an NSEC3 with inconsistent parameter will be rejected at this pt.
EXPECT_THROW
(
zone_finder_
.
add
(
textToRRset
(
"a.example.org. 300 IN NSEC3 1 0 1 aabbccdd "
"2T7B4G4VSA5SMI47K61MV5BV1A22BOJR A RRSIG"
)),
InMemoryZoneFinder
::
AddError
);
}
TEST_F
(
InMemoryZoneFinderTest
,
multiNSEC3PARAM
)
{
// In this current implementation multiple NSEC3PARAM isn't supported.
RRsetPtr
nsec3param
(
new
RRset
(
Name
(
"example.org"
),
RRClass
::
IN
(),
...
...
@@ -1488,8 +1516,7 @@ TEST_F(InMemoryZoneFinderTest, multiNSEC3PARAM) {
}
// TODO
// - parameter consistency
// - existence of NSEC3PARAM
// -
parameter consistency with NSEC3PARAM
// - add NSEC3PARAM
first/second
// -
add NSEC3PARAM second, check consistency
// - add NSEC3PARAM
at non origin (should be ignored)
}
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment