[1581] Implement the returning of NXRRSET NSEC3 proof

cb404986 · Michal 'vorner' Vaner · 66a1a1ac · cb404986 · cb404986
Commit cb404986 authored Feb 08, 2012 by Michal 'vorner' Vaner
--- a/src/bin/auth/query.cc
+++ b/src/bin/auth/query.cc
@@ -236,6 +236,17 @@ Query::addNXRRsetProof(ZoneFinder& finder,
        if (db_result.isWildcard()) {
            addWildcardNXRRSETProof(finder, db_result.rrset);
        }
+    } else if (db_result.isNSEC3Signed()) {
+        ZoneFinder::FindNSEC3Result result(finder.findNSEC3(qname_, false));
+        if (result.matched) {
+            response_.addRRset(Message::SECTION_AUTHORITY,
+                               boost::const_pointer_cast<AbstractRRset>(
+                                   result.closest_proof), dnssec_);
+
+        } else {
+            isc_throw(BadNSEC3, "No NSEC3 found for existing domain " <<
+                      qname_.toText());
+        }
    }
 }


--- a/src/bin/auth/query.h
+++ b/src/bin/auth/query.h
@@ -270,6 +270,17 @@ public:
        {}
    };

+    /// An invalid result is given when a valid NSEC3 is expected
+    ///
+    /// This can only happen when the underlying data source implementation or
+    /// the zone is broken.  By throwing an exception we treat such cases
+    /// as SERVFAIL.
+    struct BadNSEC3 : public BadZone {
+        BadNSEC3(const char* file, size_t line, const char* what) :
+            BadZone(file, line, what)
+        {}
+    };
+
    /// An invalid result is given when a valid DS records (or NXRRSET) is
    /// expected
    ///