Commit 94793e41 authored by haikuo zhang's avatar haikuo zhang
Browse files

[1579] If nsec and nsec3 coexist in zone, find function and findAll

function will throw error. find and findAll function will set
RESULT_NSEC3_SIGNED if the zone is signed with NSEC3.
parent dfd2aeef
......@@ -286,13 +286,11 @@ DatabaseClient::Finder::getRRsets(const string& name, const WantedTypes& types,
i != result.end(); ++ i) {
sig_store.appendSignatures(i->second);
}
if (records_found && any) {
result[RRType::ANY()] = RRsetPtr();
// These will be sitting on the other RRsets.
result.erase(RRType::RRSIG());
}
return (FoundRRsets(records_found, result));
}
......@@ -367,6 +365,19 @@ FINAL_TYPES() {
return (result);
}
const WantedTypes&
FINAL_TYPES_NO_NSEC() {
static bool initialized(false);
static WantedTypes result;
if (!initialized) {
result.insert(RRType::CNAME());
result.insert(RRType::NS());
initialized = true;
}
return (result);
}
}
ConstRRsetPtr
......@@ -412,10 +423,16 @@ DatabaseClient::Finder::findAll(const isc::dns::Name& name,
std::vector<isc::dns::ConstRRsetPtr>& target,
const FindOptions options)
{
const bool need_nsec3 = (((options & FIND_DNSSEC) != 0) && isNSEC3());
if ((need_nsec3 == true) && (isNSEC() == true)){
isc_throw(DataSourceError, "nsec and nsec3 coexist");
}
// If the zone is signed with NSEC3, need to add RESULT_NSEC3_SIGNED to the flags
// in FindContext when NXRRSET NXDOMAIN or WILDCARD in the DNSSEC query, no need
// NSEC RRset at the same time.
return (ZoneFinderContextPtr(new Context(*this, options,
findInternal(name, RRType::ANY(),
&target, options),
target)));
findInternal(name, RRType::ANY(), &target,
options, need_nsec3),target)));
}
ZoneFinderContextPtr
......@@ -426,9 +443,16 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
if (type == RRType::ANY()) {
isc_throw(isc::Unexpected, "Use findAll to answer ANY");
}
// If the zone is signed with NSEC3, need to add RESULT_NSEC3_SIGNED to the flags
// in FindContext when NXRRSET NXDOMAIN or WILDCARD in the DNSSEC query, no need
// NSEC RRset at the same time.
const bool need_nsec3 = (((options & FIND_DNSSEC) != 0) && isNSEC3());
if ((need_nsec3 == true) && (isNSEC() == true)){
isc_throw(DataSourceError, "nsec and nsec3 coexist");
}
return (ZoneFinderContextPtr(new Context(*this, options,
findInternal(name, type,
NULL, options))));
NULL, options,need_nsec3))));
}
DatabaseClient::Finder::DelegationSearchResult
......@@ -593,12 +617,12 @@ ZoneFinder::ResultContext
DatabaseClient::Finder::findWildcardMatch(
const isc::dns::Name& name, const isc::dns::RRType& type,
const FindOptions options, const DelegationSearchResult& dresult,
std::vector<isc::dns::ConstRRsetPtr>* target)
std::vector<isc::dns::ConstRRsetPtr>* target, const bool need_nsec3)
{
// Note that during the search we are going to search not only for the
// requested type, but also for types that indicate a delegation -
// NS and DNAME.
WantedTypes final_types(FINAL_TYPES());
WantedTypes final_types(need_nsec3 ? FINAL_TYPES_NO_NSEC() : FINAL_TYPES());
final_types.insert(type);
const size_t remove_labels = name.getLabelCount() - dresult.last_known;
......@@ -632,12 +656,12 @@ DatabaseClient::Finder::findWildcardMatch(
DATASRC_DATABASE_WILDCARD_CANCEL_NS).
arg(accessor_->getDBName()).arg(wildcard).
arg(dresult.first_ns->getName());
return (ResultContext(DELEGATION, dresult.first_ns));
return (ResultContext(DELEGATION, dresult.first_ns));
} else if (!hasSubdomains(name.split(i - 1).toText())) {
// The wildcard match is the best one, find the final result
// at it. Note that wildcard should never be the zone origin.
return (findOnNameResult(name, type, options, false,
found, &wildcard, target));
found, &wildcard, target, need_nsec3));
} else {
// more specified match found, cancel wildcard match
......@@ -653,7 +677,7 @@ DatabaseClient::Finder::findWildcardMatch(
LOG_DEBUG(logger, DBG_TRACE_DETAILED,
DATASRC_DATABASE_WILDCARD_EMPTY).
arg(accessor_->getDBName()).arg(wildcard).arg(name);
if ((options & FIND_DNSSEC) != 0) {
if (((options & FIND_DNSSEC) != 0) && (need_nsec3 == false)) {
ConstRRsetPtr nsec = findNSECCover(Name(wildcard));
if (nsec) {
return (ResultContext(NXRRSET, nsec,
......@@ -661,7 +685,8 @@ DatabaseClient::Finder::findWildcardMatch(
RESULT_NSEC_SIGNED));
}
}
return (ResultContext(NXRRSET, ConstRRsetPtr(), RESULT_WILDCARD));
return (ResultContext(NXRRSET, ConstRRsetPtr(), need_nsec3 ?
(RESULT_WILDCARD | RESULT_NSEC3_SIGNED) : RESULT_WILDCARD));
}
}
......@@ -707,11 +732,16 @@ DatabaseClient::Finder::findOnNameResult(const Name& name,
const FoundRRsets& found,
const string* wildname,
std::vector<isc::dns::ConstRRsetPtr>*
target)
target, const bool need_nsec3)
{
const bool wild = (wildname != NULL);
FindResultFlags flags = wild ? RESULT_WILDCARD : RESULT_DEFAULT;
FindResultFlags flags;
if (need_nsec3) {
flags = wild ? (RESULT_WILDCARD | RESULT_NSEC3_SIGNED) :
RESULT_DEFAULT;
} else {
flags = wild ? RESULT_WILDCARD : RESULT_DEFAULT;
}
// Get iterators for the different types of records we are interested in -
// CNAME, NS and Wanted types.
const FoundIterator nsi(found.second.find(RRType::NS()));
......@@ -723,7 +753,7 @@ DatabaseClient::Finder::findOnNameResult(const Name& name,
// TODO: this part should be revised when we support NSEC3; ideally we
// should use more effective and efficient way to identify (whether and)
// in which way the zone is signed.
if (wild && (options & FIND_DNSSEC) != 0 &&
if (wild && (options & FIND_DNSSEC) != 0 && (need_nsec3 == false) &&
found.second.find(RRType::NSEC()) != found.second.end()) {
flags = flags | RESULT_NSEC_SIGNED;
}
......@@ -755,7 +785,6 @@ DatabaseClient::Finder::findOnNameResult(const Name& name,
wild ? DATASRC_DATABASE_WILDCARD_CNAME :
DATASRC_DATABASE_FOUND_CNAME,
flags));
} else if (wti != found.second.end()) {
bool any(type == RRType::ANY());
isc::log::MessageID lid(wild ? DATASRC_DATABASE_WILDCARD_MATCH :
......@@ -788,7 +817,7 @@ DatabaseClient::Finder::findOnNameResult(const Name& name,
// NSEC records in the name of the wildcard, not the substituted one,
// so we need to search the tree again.
ConstRRsetPtr nsec_rrset; // possibly used with DNSSEC, otherwise NULL
if ((options & FIND_DNSSEC) != 0) {
if ((options & FIND_DNSSEC) != 0 && (need_nsec3 == false)) {
if (wild) {
const FoundRRsets wfound = getRRsets(*wildname, NSEC_TYPES(),
true);
......@@ -812,7 +841,8 @@ DatabaseClient::Finder::findOnNameResult(const Name& name,
}
return (logAndCreateResult(name, wildname, type, NXRRSET, nsec_rrset,
wild ? DATASRC_DATABASE_WILDCARD_NXRRSET :
DATASRC_DATABASE_FOUND_NXRRSET, flags));
DATASRC_DATABASE_FOUND_NXRRSET, need_nsec3?
(flags | RESULT_NSEC3_SIGNED):flags));
}
ZoneFinder::ResultContext
......@@ -820,9 +850,10 @@ DatabaseClient::Finder::findNoNameResult(const Name& name, const RRType& type,
FindOptions options,
const DelegationSearchResult& dresult,
std::vector<isc::dns::ConstRRsetPtr>*
target)
target, const bool need_nsec3)
{
const bool dnssec_data = ((options & FIND_DNSSEC) != 0);
const bool need_nsec = ((dnssec_data == true) && (need_nsec3 == false));
// On entry to this method, we know that the database doesn't have any
// entry for this name. Before returning NXDOMAIN, we need to check
// for special cases.
......@@ -834,17 +865,17 @@ DatabaseClient::Finder::findNoNameResult(const Name& name, const RRType& type,
LOG_DEBUG(logger, DBG_TRACE_DETAILED,
DATASRC_DATABASE_FOUND_EMPTY_NONTERMINAL).
arg(accessor_->getDBName()).arg(name);
const ConstRRsetPtr nsec = dnssec_data ? findNSECCover(name) :
ConstRRsetPtr();
const ConstRRsetPtr nsec = need_nsec ? findNSECCover(name) :
ConstRRsetPtr();
return (ResultContext(NXRRSET, nsec, nsec ? RESULT_NSEC_SIGNED :
RESULT_DEFAULT));
(need_nsec3 ? RESULT_NSEC3_SIGNED : RESULT_DEFAULT)));
} else if ((options & NO_WILDCARD) == 0) {
// It's not an empty non-terminal and wildcard matching is not
// disabled, so check for wildcards. If there is a wildcard match
// (i.e. all results except NXDOMAIN) return it; otherwise fall
// through to the NXDOMAIN case below.
const ResultContext wcontext =
findWildcardMatch(name, type, options, dresult, target);
findWildcardMatch(name, type, options, dresult, target, need_nsec3);
if (wcontext.code != NXDOMAIN) {
return (wcontext);
}
......@@ -854,16 +885,41 @@ DatabaseClient::Finder::findNoNameResult(const Name& name, const RRType& type,
// NSEC records if requested).
LOG_DEBUG(logger, DBG_TRACE_DETAILED, DATASRC_DATABASE_NO_MATCH).
arg(accessor_->getDBName()).arg(name).arg(type).arg(getClass());
const ConstRRsetPtr nsec = dnssec_data ? findNSECCover(name) :
const ConstRRsetPtr nsec = need_nsec ? findNSECCover(name) :
ConstRRsetPtr();
return (ResultContext(NXDOMAIN, nsec,
nsec ? RESULT_NSEC_SIGNED : RESULT_DEFAULT));
nsec ? RESULT_NSEC_SIGNED : (need_nsec3 ?
RESULT_NSEC3_SIGNED : RESULT_DEFAULT)));
}
bool
DatabaseClient::Finder::isNSEC3()
{
// If an NSEC3PARAM RR exists at the zone apex, it's quite likely that
// the zone is signed with NSEC3. (If not the zone is more or less broken,
// but it's caller's responsibility how to handle such cases).
const FoundRRsets nsec3_found = getRRsets(origin_.toText(),
NSEC3PARAM_TYPES(), false);
const FoundIterator nfi(nsec3_found.second.find(RRType::NSEC3PARAM()));
return (nfi != nsec3_found.second.end());
}
bool
DatabaseClient::Finder::isNSEC()
{
// If an NSEC RRsets exists at the zone apex, it's quite likely that
// the zone is signed with NSEC. (If not the zone is more or less broken,
// but it's caller's responsibility how to handle such cases)
const FoundRRsets nsec_found = getRRsets(origin_.toText(),
NSEC_TYPES(), false);
const FoundIterator nfi(nsec_found.second.find(RRType::NSEC()));
return (nfi != nsec_found.second.end());
}
ZoneFinder::ResultContext
DatabaseClient::Finder::findInternal(const Name& name, const RRType& type,
std::vector<ConstRRsetPtr>* target,
const FindOptions options)
const FindOptions options, const bool is_nsec3)
{
LOG_DEBUG(logger, DBG_TRACE_DETAILED, DATASRC_DATABASE_FIND_RECORDS)
.arg(accessor_->getDBName()).arg(name).arg(type).arg(getClass());
......@@ -902,59 +958,20 @@ DatabaseClient::Finder::findInternal(const Name& name, const RRType& type,
// apex - DNAME is ignored here as it redirects DNS names subordinate to
// the owner name - the owner name itself is not redirected.)
const bool is_origin = (name == getOrigin());
WantedTypes final_types(FINAL_TYPES());
WantedTypes final_types(is_nsec3 ? FINAL_TYPES_NO_NSEC() : FINAL_TYPES());
final_types.insert(type);
const FoundRRsets found = getRRsets(name.toText(), final_types,
!is_origin, NULL,
type == RRType::ANY());
// If an NSEC3PARAM RR exists at the zone apex, it's quite likely that
// the zone is signed with NSEC3. (If not the zone is more or less broken,
// but it's caller's responsibility how to handle such cases).
const FoundRRsets nsec3_found = getRRsets(origin_.toText(),
NSEC3PARAM_TYPES(), false);
const FoundIterator nfi(nsec3_found.second.find(RRType::NSEC3PARAM()));
const bool is_nsec3 = (nfi != nsec3_found.second.end());
if (found.first) {
// Something found at the domain name. Look into it further to get
// the final result.
if (is_nsec3) {
const ZoneFinder::ResultContext result_context =
findOnNameResult(name, type, options, is_origin, found, NULL,
target);
if ((result_context.code & NXRRSET) != 0 ||
(result_context.flags & RESULT_WILDCARD) != 0) {
return (ZoneFinder::ResultContext(result_context.code,
result_context.rrset,
(result_context.flags |
RESULT_NSEC3_SIGNED)));
} else {
return (result_context);
}
} else {
return (findOnNameResult(name, type, options, is_origin, found,
NULL, target));
}
return (findOnNameResult(name, type, options, is_origin, found,
NULL, target, is_nsec3));
} else {
// Did not find anything at all at the domain name, so check for
// subdomains or wildcards.
if (is_nsec3) {
// NSEC3 is used for this zone
const ZoneFinder::ResultContext result_context =
findNoNameResult(name, type, options, dresult, target);
if ((result_context.code & (NXRRSET | NXDOMAIN)) != 0 ||
(result_context.flags & RESULT_WILDCARD) != 0) {
// NXRRSET NXDOMAIN and wildcard should set RESULT_NSEC3_SIGNED
return (ZoneFinder::ResultContext(result_context.code,
result_context.rrset,
(result_context.flags |
RESULT_NSEC3_SIGNED)));
} else {
return (result_context);
}
} else {
return (findNoNameResult(name, type, options, dresult, target));
}
return (findNoNameResult(name, type, options, dresult, target, is_nsec3));
}
}
......
......@@ -706,6 +706,17 @@ public:
virtual isc::dns::Name getOrigin() const;
virtual isc::dns::RRClass getClass() const;
/// \brief check whether zone is signed with nsec3
///
/// searches the NSEC3PARAM RRset in the zone apex, if it exists, the
/// zone looks signed with nsec3
bool isNSEC3();
/// \brief check whether zone is signed with nsec
///
/// searches the NSEC RRset in the zone apex, if it exists, the
/// zone looks signed with nsec
bool isNSEC();
/// \brief Find an RRset in the datasource
///
/// Searches the datasource for an RRset of the given name and
......@@ -801,7 +812,8 @@ public:
const isc::dns::RRType& type,
std::vector<isc::dns::ConstRRsetPtr>*
target,
const FindOptions options = FIND_DEFAULT);
const FindOptions options = FIND_DEFAULT,
const bool need_nsec3 = false);
/// \brief Searches database for RRsets of one domain.
///
......@@ -939,7 +951,8 @@ public:
/// \param target If the type happens to be ANY, it will insert all
/// the RRsets of the found name (if any is found) here instead
/// of being returned by the result.
///
/// \param need_nsec3 When zone is signed with nsec3, no need to find
/// nsec rrset
/// \return Tuple holding the result of the search - the RRset of the
/// wildcard records matching the name, together with a status
/// indicating the match type (e.g. CNAME at the wildcard
......@@ -952,7 +965,8 @@ public:
const isc::dns::RRType& type,
const FindOptions options,
const DelegationSearchResult& dresult,
std::vector<isc::dns::ConstRRsetPtr>* target);
std::vector<isc::dns::ConstRRsetPtr>* target,
const bool need_nsec3);
/// \brief Handle matching results for name
///
......@@ -985,7 +999,8 @@ public:
/// it's NULL in the case of non wildcard match.
/// \param target When the query is any, this must be set to a vector
/// where the result will be stored.
///
/// \param need_nsec3 When zone is signed with nsec3, no need to find
/// nsec rrset
/// \return Tuple holding the result of the search - the RRset of the
/// wildcard records matching the name, together with a status
/// indicating the match type (corresponding to the each of
......@@ -999,7 +1014,7 @@ public:
const FoundRRsets& found,
const std::string* wildname,
std::vector<isc::dns::ConstRRsetPtr>*
target);
target, const bool need_nsec3);
/// \brief Handle no match for name
///
......@@ -1024,7 +1039,8 @@ public:
/// \param target If the query is for type ANY, the successfull result,
/// if there happens to be one, will be returned through the
/// parameter, as it doesn't fit into the result.
///
/// \param need_nsec3 When zone is signed with nsec3, no need to find
/// nsec rrset
/// \return Tuple holding the result of the search - the RRset of the
/// wildcard records matching the name, together with a status
/// indicating the match type (e.g. CNAME at the wildcard
......@@ -1035,7 +1051,7 @@ public:
FindOptions options,
const DelegationSearchResult& dresult,
std::vector<isc::dns::ConstRRsetPtr>*
target);
targeti, const bool need_nsec3);
/// Logs condition and creates result
///
......
......@@ -1460,7 +1460,9 @@ doFindAllTestResult(ZoneFinder& finder, const isc::dns::Name& name,
const isc::dns::Name& expected_name =
isc::dns::Name::ROOT_NAME(),
const ZoneFinder::FindOptions options =
ZoneFinder::FIND_DEFAULT)
ZoneFinder::FIND_DEFAULT,
ZoneFinder::FindResultFlags expected_flags =
ZoneFinder::RESULT_DEFAULT)
{
SCOPED_TRACE("All test for " + name.toText());
std::vector<ConstRRsetPtr> target;
......@@ -1468,6 +1470,15 @@ doFindAllTestResult(ZoneFinder& finder, const isc::dns::Name& name,
EXPECT_TRUE(target.empty());
EXPECT_EQ(expected_result, result->code);
EXPECT_EQ(expected_type, result->rrset->getType());
if (expected_flags != ZoneFinder::RESULT_DEFAULT){
EXPECT_EQ((expected_flags & ZoneFinder::RESULT_WILDCARD) != 0,
result->isWildcard());
EXPECT_EQ((expected_flags & ZoneFinder::RESULT_NSEC_SIGNED) != 0,
result->isNSECSigned());
EXPECT_EQ((expected_flags & ZoneFinder::RESULT_NSEC3_SIGNED) != 0,
result->isNSEC3Signed());
}
RdataIteratorPtr it(result->rrset->getRdataIterator());
std::vector<std::string> rdata;
while (!it->isLast()) {
......@@ -2286,46 +2297,80 @@ TYPED_TEST(DatabaseClientTest, dbNegativeCaseFind) {
// signed with NSEC or NSEC3, that is good for upper layer caller.
// First off, everything should be okay if no NSEC3PARAM rrset
this->updater_ = this->client_->getUpdater(this->zname_, false);
this->expected_rdatas_.clear();
this->expected_sig_rdatas_.clear();
doFindTest(this->updater_->getFinder(),
isc::dns::Name("doesnotexist.example.org."),
this->qtype_, this->qtype_, this->rrttl_,
this->expected_rdatas_.push_back("www2.example.org. A AAAA NSEC RRSIG");
this->expected_sig_rdatas_.push_back("NSEC 5 3 3600 20000101000000 "
"20000201000000 12345 example.org. "
"FAKEFAKEFAKE");
boost::shared_ptr<DatabaseClient::Finder> finder(this->getFinder());
doFindTest(*finder, isc::dns::Name("www1.example.org."),
this->qtype_, isc::dns::RRType::NSEC(), this->rrttl_,
ZoneFinder::NXDOMAIN, this->expected_rdatas_,
this->expected_sig_rdatas_);
this->expected_sig_rdatas_, ZoneFinder::RESULT_NSEC_SIGNED,
Name("www.example.org."), ZoneFinder::FIND_DNSSEC);
this->expected_rdatas_.clear();
this->expected_sig_rdatas_.clear();
this->expected_rdatas_.push_back("www2.example.org. A AAAA NSEC RRSIG");
this->expected_sig_rdatas_.push_back("NSEC 5 3 3600 20000101000000 "
"20000201000000 12345 example.org. "
"FAKEFAKEFAKE");
doFindTest(*finder, isc::dns::Name("www.example.org."),
isc::dns::RRType::TXT(), isc::dns::RRType::NSEC(),
this->rrttl_, ZoneFinder::NXRRSET,
this->expected_rdatas_, this->expected_sig_rdatas_,
ZoneFinder::RESULT_NSEC_SIGNED, isc::dns::Name::ROOT_NAME(),
ZoneFinder::FIND_DNSSEC);
this->expected_rdatas_.clear();
this->expected_sig_rdatas_.clear();
doFindTest(this->updater_->getFinder(),
isc::dns::Name("www.example.org."),
isc::dns::RRType::TXT(), isc::dns::RRType::TXT(),
this->rrttl_,
ZoneFinder::NXRRSET,
this->expected_rdatas_, this->expected_sig_rdatas_);
this->expected_rdatas_.push_back("192.0.2.5");
this->expected_sig_rdatas_.push_back("A 5 3 3600 20000101000000 "
"20000201000000 12345 example.org. "
"FAKEFAKEFAKE");
doFindTest(this->updater_->getFinder(),
isc::dns::Name("b.a.wild.example.org"),
this->qtype_, this->qtype_, this->rrttl_, ZoneFinder::SUCCESS,
this->expected_rdatas_, this->expected_sig_rdatas_,
ZoneFinder::RESULT_WILDCARD);
doFindTest(*finder, isc::dns::Name("b.a.wild.example.org"),
isc::dns::RRType::A(), isc::dns::RRType::A(),
this->rrttl_, ZoneFinder::SUCCESS, this->expected_rdatas_,
this->expected_sig_rdatas_,
(ZoneFinder::RESULT_WILDCARD | ZoneFinder::RESULT_NSEC_SIGNED),
isc::dns::Name("b.a.wild.example.org"), ZoneFinder::FIND_DNSSEC);
this->expected_rdatas_.clear();
this->expected_sig_rdatas_.clear();
doFindTest(this->updater_->getFinder(),
isc::dns::Name("b.a.wild.example.org"),
isc::dns::RRType::TXT(), isc::dns::RRType::TXT(),
this->expected_rdatas_.push_back("cancel.here.wild.example.org. A NSEC "
"RRSIG");
this->expected_sig_rdatas_.push_back("NSEC 5 3 3600 20000101000000 "
"20000201000000 12345 example.org. "
"FAKEFAKEFAKE");
doFindTest(*finder, isc::dns::Name("b.a.wild.example.org"),
isc::dns::RRType::TXT(), isc::dns::RRType::NSEC(),
this->rrttl_, ZoneFinder::NXRRSET, this->expected_rdatas_,
this->empty_rdatas_,
ZoneFinder::RESULT_WILDCARD);
this->expected_sig_rdatas_, (ZoneFinder::RESULT_WILDCARD |
ZoneFinder::RESULT_NSEC_SIGNED),Name("*.wild.example.org"),
ZoneFinder::FIND_DNSSEC);
this->updater_ = this->client_->getUpdater(this->zname_, false);
this->rrset_.reset(new RRset(this->zname_, this->qclass_,
isc::dns::RRType::NSEC3PARAM(), this->rrttl_));
this->rrset_->addRdata(rdata::createRdata(isc::dns::RRType::NSEC3PARAM(),
this->rrset_->getClass(), "1 0 12 aabbccdd"));
this->updater_->addRRset(*this->rrset_);
this->updater_->commit();
try {
this->expected_rdatas_.clear();
this->expected_sig_rdatas_.clear();
doFindTest(this->updater_->getFinder(), isc::dns::Name("www1.example.org."),
this->qtype_, this->qtype_, this->rrttl_, ZoneFinder::NXDOMAIN,
this->expected_rdatas_, this->expected_sig_rdatas_,
ZoneFinder::RESULT_NSEC3_SIGNED, isc::dns::Name::ROOT_NAME(),
ZoneFinder::FIND_DNSSEC);
} catch (const DataSourceError&) {}
// The following test should be tested in zone which is signed by NSEC3
#if 0
// Then, if NSEC3PARAM exists at the origin, the flags of result should
// contain RESULT_NSEC3_SIGNED flag when NXDOMAIN NXRRSET or wildcard
// Add NSEC3PARAM RRSET at the apex of the zone. It looks weird if the
// zone only has NSEC3PARM RRset (but no NSEC3s), but it is okay for unit
// test.
this->updater_ = this->client_->getUpdater(this->zname_, false);
this->rrset_.reset(new RRset(this->zname_, this->qclass_,
isc::dns::RRType::NSEC3PARAM(),
this->rrttl_));
......@@ -2333,49 +2378,47 @@ TYPED_TEST(DatabaseClientTest, dbNegativeCaseFind) {
this->rrset_->getClass(),
"1 0 12 aabbccdd"));
this->updater_->addRRset(*this->rrset_);
// check NXDOMAIN
this->expected_rdatas_.clear();
this->expected_sig_rdatas_.clear();
doFindTest(this->updater_->getFinder(),
isc::dns::Name("doesnotexist.example.org."),
this->qtype_, this->qtype_, this->rrttl_,
ZoneFinder::NXDOMAIN, this->expected_rdatas_,
this->expected_sig_rdatas_,
ZoneFinder::RESULT_NSEC3_SIGNED);
isc::dns::Name("www1.example.org."), this->qtype_, this->qtype_,
this->rrttl_, ZoneFinder::NXDOMAIN, this->expected_rdatas_,
this->expected_sig_rdatas_, ZoneFinder::RESULT_NSEC3_SIGNED,
isc::dns::Name::ROOT_NAME(), ZoneFinder::FIND_DNSSEC);
// check NXRRSET
this->expected_rdatas_.clear();
this->expected_sig_rdatas_.clear();
doFindTest(this->updater_->getFinder(),
isc::dns::Name("www.example.org."),
doFindTest(this->updater_->getFinder(), isc::dns::Name("www.example.org."),
isc::dns::RRType::TXT(), isc::dns::RRType::TXT(), this->rrttl_,
ZoneFinder::NXRRSET, this->expected_rdatas_,
this->expected_sig_rdatas_, ZoneFinder::RESULT_NSEC3_SIGNED);
this->expected_sig_rdatas_, ZoneFinder::RESULT_NSEC3_SIGNED,
isc::dns::Name::ROOT_NAME(), ZoneFinder::FIND_DNSSEC);
// check flags if wildcard matches
this->expected_rdatas_.push_back("192.0.2.5");
this->expected_sig_rdatas_.push_back("A 5 3 3600 20000101000000 "
"20000201000000 12345 example.org. "
"FAKEFAKEFAKE");
doFindTest(this->updater_->getFinder(),
isc::dns::Name("b.a.wild.example.org"),
doFindTest(this->updater_->getFinder(), isc::dns::Name("b.a.wild.example.org"),
this->qtype_, this->qtype_, this->rrttl_, ZoneFinder::SUCCESS,
this->expected_rdatas_, this->expected_sig_rdatas_,
ZoneFinder::RESULT_WILDCARD | ZoneFinder::RESULT_NSEC3_SIGNED);
ZoneFinder::RESULT_WILDCARD | ZoneFinder::RESULT_NSEC3_SIGNED,
isc::dns::Name::ROOT_NAME(), ZoneFinder::FIND_DNSSEC);
// check flags if NXRRSET in wildcard case
this->expected_rdatas_.clear();
this->expected_sig_rdatas_.clear();
doFindTest(this->updater_->getFinder(),
isc::dns::Name("b.a.wild.example.org"),
doFindTest(this->updater_->getFinder(), isc::dns::Name("b.a.wild.example.org"),
isc::dns::RRType::TXT(), isc::dns::RRType::TXT(),
this->rrttl_, ZoneFinder::NXRRSET, this->expected_rdatas_,
this->empty_rdatas_,
ZoneFinder::RESULT_WILDCARD | ZoneFinder::RESULT_NSEC3_SIGNED);
this->empty_rdatas_, (ZoneFinder::RESULT_WILDCARD |
ZoneFinder::RESULT_NSEC3_SIGNED),
isc::dns::Name::ROOT_NAME(), ZoneFinder::FIND_DNSSEC);
#endif
}
TYPED_TEST(DatabaseClientTest, NXDOMAIN_NSEC) {
// The domain doesn't exist, so we must get the right NSEC
boost::shared_ptr<DatabaseClient::Finder> finder(this->getFinder());
this->expected_rdatas_.push_back("www2.example.org. A AAAA NSEC RRSIG");
this->expected_sig_rdatas_.push_back("NSEC 5 3 3600 20000101000000 "
"20000201000000 12345 example.org. "
......
......@@ -297,7 +297,6 @@ TEST_P(ZoneFinderContextTest, getAdditionalForAny) {
vector<ConstRRsetPtr> all_rrsets;
ZoneFinderContextPtr ctx = finder_->findAll(qzone_, all_rrsets);
EXPECT_EQ(ZoneFinder::SUCCESS, ctx->code);
ctx->getAdditional(REQUESTED_BOTH, result_sets_);
rrsetsCheck("ns1.example.org. 3600 IN A 192.0.2.1\n"
"ns1.example.org. 3600 IN AAAA 2001:db8::1\n"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment