Commit f9593f5d authored by Jelte Jansen's avatar Jelte Jansen
Browse files

[1582] comments and dox

parent 0db8f9c9
......@@ -248,7 +248,8 @@ Query::addNXRRsetProof(ZoneFinder& finder,
boost::const_pointer_cast<AbstractRRset>(
result.closest_proof), dnssec_);
// For qtype == DS, next_proof could be set
// (Do we want to double-check for opt-out here?)
// (We could check for opt-out here, but that's really the
// responsibility of the datasource)
if (qtype_ds && result.next_proof != ConstRRsetPtr()) {
response_.addRRset(Message::SECTION_AUTHORITY,
boost::const_pointer_cast<AbstractRRset>(
......
......@@ -88,8 +88,9 @@ private:
/// \brief Adds NSEC denial proof for the given NXRRset result
///
/// NSEC records, if available (signaled by isNSECSigned(), are added
/// to the authority section.
/// If available, NSEC or NSEC3 records are added to the authority
/// section (depending on whether isNSECSigned() or isNSEC3Signed()
/// returns true.
///
/// \param finder The ZoneFinder that was used to search for the missing
/// data
......
......@@ -1699,26 +1699,32 @@ TEST_F(QueryTest, nxrrsetMissingNSEC3) {
response, true).process(), Query::BadNSEC3);
}
// Check the exact matching NSEC3 is returned for NXRRSET and qtype DS
TEST_F(QueryTest, nxrrsetWithNSEC3_ds_exact) {
mock_finder->setNSEC3Flag(true);
// This delegation has no DS, but does have a matching NSEC3 record
// (See RFC5155 section 7.2.4)
Query(memory_client, Name("unsigned-delegation.example.com."),
RRType::DS(), response, true).process();
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 4, 0, NULL,
(string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
getCommonRRSIGText("SOA") + "\n" +
string(unsigned_delegation_nsec3_txt) + "\n" +
mock_finder->hash_map_[Name("unsigned-delegation.example.com.")] +
mock_finder->
hash_map_[Name("unsigned-delegation.example.com.")] +
".example.com. 3600 IN RRSIG " +
getCommonRRSIGText("NSEC3") + "\n").c_str(),
NULL, mock_finder->getOrigin());
}
// Check the signature is present when an NXRRSET is returned and qtype is DS
TEST_F(QueryTest, nxrrsetWithNSEC3_ds_no_exact) {
mock_finder->setNSEC3Flag(true);
// This delegation has no DS, and no directly matching NSEC3 record
// So the response should contain closest encloser proof (and the
// 'next closer' should have opt-out set, though that is not
// actually checked)
// (See RFC5155 section 7.2.4)
Query(memory_client, Name("unsigned-delegation-optout.example.com."),
RRType::DS(), response, true).process();
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 6, 0, NULL,
......@@ -1729,13 +1735,13 @@ TEST_F(QueryTest, nxrrsetWithNSEC3_ds_no_exact) {
".example.com. 3600 IN RRSIG " +
getCommonRRSIGText("NSEC3") + "\n" +
string(unsigned_delegation_nsec3_txt) + "\n" +
mock_finder->hash_map_[Name("unsigned-delegation.example.com.")] +
mock_finder->
hash_map_[Name("unsigned-delegation.example.com.")] +
".example.com. 3600 IN RRSIG " +
getCommonRRSIGText("NSEC3") + "\n").c_str(),
NULL, mock_finder->getOrigin());
}
// The following are tentative tests until we really add tests for the
// query logic for these cases. At that point it's probably better to
// clean them up.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment