Commit 7130da88 authored by JINMEI Tatuya's avatar JINMEI Tatuya
Browse files

[master] Merge branch 'trac1912'

parents ed9fbd27 0010be46
......@@ -450,7 +450,8 @@ DatabaseClient::Finder::findDelegationPoint(const isc::dns::Name& name,
const size_t remove_labels = name.getLabelCount() - origin_label_count;
// Go through all superdomains from the origin down searching for nodes
// that indicate a delegation (.e. NS or DNAME).
// that indicate a delegation (.e. NS or DNAME). Note that we only check
// pure superdomains; delegation on an exact match will be detected later.
for (int i = remove_labels; i > 0; --i) {
const Name superdomain(name.split(i));
......@@ -810,12 +811,14 @@ DatabaseClient::Finder::findOnNameResult(const Name& name,
const FoundIterator cni(found.second.find(RRType::CNAME()));
const FoundIterator wti(found.second.find(type));
if (!is_origin && (options & FIND_GLUE_OK) == 0 &&
if (!is_origin && (options & FIND_GLUE_OK) == 0 && type != RRType::DS() &&
nsi != found.second.end()) {
// A NS RRset was found at the domain we were searching for. As it is
// not at the origin of the zone, it is a delegation and indicates that
// this zone is not authoritative for the data. Just return the
// delegation information.
// delegation information, except:
// - when we are looking for glue records (FIND_GLUE_OK), or
// - when the query type is DS (which cancels the delegation)
return (logAndCreateResult(name, wildname, type, DELEGATION,
nsi->second,
wild ? DATASRC_DATABASE_WILDCARD_NS :
......
......@@ -142,9 +142,11 @@ const char* const TEST_RECORDS[][5] = {
{"delegation.example.org.", "NS", "3600", "", "ns.example.com."},
{"delegation.example.org.", "NS", "3600", "",
"ns.delegation.example.org."},
{"delegation.example.org.", "DS", "3600", "", "1 RSAMD5 2 abcd"},
{"delegation.example.org.", "DS", "3600", "", "1 1 2 abcd"},
{"delegation.example.org.", "RRSIG", "3600", "", "NS 5 3 3600 "
"20000101000000 20000201000000 12345 example.org. FAKEFAKEFAKE"},
{"delegation.example.org.", "RRSIG", "3600", "", "DS 5 3 3600 "
"20000101000000 20000201000000 12345 example.org. FAKEFAKEFAKE"},
{"ns.delegation.example.org.", "A", "3600", "", "192.0.2.1"},
{"deep.below.delegation.example.org.", "A", "3600", "", "192.0.2.1"},
......@@ -156,6 +158,16 @@ const char* const TEST_RECORDS[][5] = {
{"below.dname.example.org.", "A", "3600", "", "192.0.2.1"},
// Insecure delegation (i.e., no DS at the delegation point)
{"insecdelegation.example.org.", "NS", "3600", "", "ns.example.com."},
{"insecdelegation.example.org.", "NSEC", "3600", "",
"dummy.example.org. NS NSEC"},
// and a DS under the zone cut. Such an RR shouldn't exist in a sane zone,
// but it could by error or some malicious attempt. It shouldn't confuse
// the implementation)
{"child.insecdelegation.example.org.", "DS", "3600", "", "DS 5 3 3600 "
"20000101000000 20000201000000 12345 example.org. FAKEFAKEFAKE"},
// Broken NS
{"brokenns1.example.org.", "A", "3600", "", "192.0.2.1"},
{"brokenns1.example.org.", "NS", "3600", "", "ns.example.com."},
......@@ -2201,6 +2213,48 @@ TYPED_TEST(DatabaseClientTest, findDelegation) {
DataSourceError);
}
TYPED_TEST(DatabaseClientTest, findDS) {
// Type DS query is an exception to the general delegation case; the NS
// should be ignored and it should be treated just like normal
// authoritative data.
boost::shared_ptr<DatabaseClient::Finder> finder(this->getFinder());
// DS exists at the delegation point. It should be returned with result
// code of SUCCESS.
this->expected_rdatas_.push_back("1 1 2 abcd"),
this->expected_sig_rdatas_.push_back("DS 5 3 3600 20000101000000 "
"20000201000000 12345 example.org. "
"FAKEFAKEFAKE");
doFindTest(*finder, Name("delegation.example.org."),
RRType::DS(), RRType::DS(), this->rrttl_, ZoneFinder::SUCCESS,
this->expected_rdatas_, this->expected_sig_rdatas_,
ZoneFinder::RESULT_DEFAULT);
// DS doesn't exist at the delegation point. The result should be
// NXRRSET, and if DNSSEC is requested and the zone is NSEC-signed,
// the corresponding NSEC should be returned (normally with its RRSIG,
// but in this simplified test setup it's omitted in the test data).
this->expected_rdatas_.clear();
this->expected_rdatas_.push_back("dummy.example.org. NS NSEC");
this->expected_sig_rdatas_.clear();
doFindTest(*finder, Name("insecdelegation.example.org."),
RRType::DS(), RRType::NSEC(), this->rrttl_, ZoneFinder::NXRRSET,
this->expected_rdatas_, this->expected_sig_rdatas_,
ZoneFinder::RESULT_NSEC_SIGNED,
Name("insecdelegation.example.org."), ZoneFinder::FIND_DNSSEC);
// Some insane case: DS under a zone cut. It's included in the DB, but
// shouldn't be visible via finder.
this->expected_rdatas_.clear();
this->expected_rdatas_.push_back("ns.example.com");
doFindTest(*finder, Name("child.insecdelegation.example.org"),
RRType::DS(), RRType::NS(), this->rrttl_,
ZoneFinder::DELEGATION, this->expected_rdatas_,
this->empty_rdatas_, ZoneFinder::RESULT_DEFAULT,
Name("insecdelegation.example.org."), ZoneFinder::FIND_DNSSEC);
}
TYPED_TEST(DatabaseClientTest, emptyDomain) {
boost::shared_ptr<DatabaseClient::Finder> finder(this->getFinder());
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment