Commit 97cf501e authored by xiejiagui's avatar xiejiagui Committed by xiejiagui
Browse files

[1310] Add comments for two NSEC RRs which prove either NXDOMAIN

       or NXRRSET of wildcard expansion.
parent 8b92bb93
......@@ -188,16 +188,16 @@ Query::addWildcardProof(ZoneFinder& finder) {
void
Query::addWildcardNxrrsetProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
// There should be one NSEC RR which was found in the zone to prove
// that there is not matched <QNAME,QTYPE> via wildcard expansion.
// that there is not matched <QNAME,QTYPE> via wildcard expansion.
if (nsec->getRdataCount() == 0) {
isc_throw(BadNSEC, "NSEC for WILDCARD_NXRRSET is empty");
return;
}
isc_throw(BadNSEC, "NSEC for WILDCARD_NXRRSET is empty");
return;
}
// Add this NSEC RR to authority section.
response_.addRRset(Message::SECTION_AUTHORITY,
response_.addRRset(Message::SECTION_AUTHORITY,
boost::const_pointer_cast<RRset>(nsec), dnssec_);
const ZoneFinder::FindResult fresult =
const ZoneFinder::FindResult fresult =
finder.find(qname_, RRType::NSEC(), NULL,
dnssec_opt_ | ZoneFinder::NO_WILDCARD);
if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
......@@ -207,13 +207,13 @@ Query::addWildcardNxrrsetProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
}
if (nsec->getName() != fresult.rrset->getName()) {
// one NSEC RR proves wildcard_nxrrset that no matched QNAME.
// one NSEC RR proves wildcard_nxrrset that no matched QNAME.
response_.addRRset(Message::SECTION_AUTHORITY,
boost::const_pointer_cast<RRset>(fresult.rrset),
dnssec_);
}
}
}
void
Query::addAuthAdditional(ZoneFinder& finder) {
// Fill in authority and addtional sections.
......@@ -384,12 +384,12 @@ Query::process() {
dnssec_);
}
break;
case ZoneFinder::WILDCARD_NXRRSET:
case ZoneFinder::WILDCARD_NXRRSET:
addSOA(*result.zone_finder);
if (dnssec_ && db_result.rrset) {
addWildcardNxrrsetProof(zfinder,db_result.rrset);
}
break;
addWildcardNxrrsetProof(zfinder,db_result.rrset);
}
break;
default:
// This is basically a bug of the data source implementation,
// but could also happen in the middle of development where
......
......@@ -83,17 +83,17 @@ private:
void addWildcardProof(isc::datasrc::ZoneFinder& finder);
/// \brief Adds one NSEC RR proved no matched QNAME,one NSEC RR proved no
/// matched <QNAME,QTYPE> through wildcard extension.
///
/// Add NSEC RRs that prove an WILDCARD_NXRRSET result.
/// matched <QNAME,QTYPE> through wildcard extension.
///
/// Add NSEC RRs that prove an WILDCARD_NXRRSET result.
/// This corresponds to Section 3.1.3.4 of RFC 4035.
/// \param finder The ZoneFinder through which the authority data for the
/// query is to be found.
/// \param nsec The RRset (NSEC RR) which proved that there is no matched
/// <QNAME,QTTYPE>.
/// \param finder The ZoneFinder through which the authority data for the
/// query is to be found.
/// \param nsec The RRset (NSEC RR) which proved that there is no matched
/// <QNAME,QTTYPE>.
void addWildcardNxrrsetProof(isc::datasrc::ZoneFinder& finder,
isc::dns::ConstRRsetPtr nsec);
isc::dns::ConstRRsetPtr nsec);
/// \brief Look up additional data (i.e., address records for the names
/// included in NS or MX records) and add them to the additional section.
///
......
// Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
/ Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
......@@ -102,13 +102,13 @@ const char* const nsec_cnamewild_txt = "*.cnamewild.example.com. "
"3600 IN NSEC delegation.example.com. CNAME NSEC RRSIG\n";
// Wildcard_nxrrset
const char* const wild_txt_nxrrset =
"*.uwild.example.com. 3600 IN A 192.0.2.9\n";
"*.uwild.example.com. 3600 IN A 192.0.2.9\n";
const char* const nsec_wild_txt_nxrrset =
"*.uwild.example.com. 3600 IN NSEC www.uwild.example.com. A NSEC RRSIG\n";
"*.uwild.example.com. 3600 IN NSEC www.uwild.example.com. A NSEC RRSIG\n";
const char* const wild_txt_next =
"www.uwild.example.com. 3600 IN A 192.0.2.11\n";
"www.uwild.example.com. 3600 IN A 192.0.2.11\n";
const char* const nsec_wild_txt_next =
"www.uwild.example.com. 3600 IN NSEC *.wild.example.com. A NSEC RRSIG\n";
"www.uwild.example.com. 3600 IN NSEC *.wild.example.com. A NSEC RRSIG\n";
// Used in NXDOMAIN proof test. We are going to test some unusual case where
// the best possible wildcard is below the "next domain" of the NSEC RR that
// proves the NXDOMAIN, i.e.,
......@@ -191,7 +191,7 @@ public:
wild_txt_nxrrset<<nsec_wild_txt_nxrrset<<wild_txt_next<<
nsec_wild_txt_next;
masterLoad(zone_stream, origin_, rrclass_,
masterLoad(zone_stream, origin_, rrclass_,
boost::bind(&MockZoneFinder::loadRRset, this, _1));
empty_nsec_rrset_ = ConstRRsetPtr(new RRset(Name::ROOT_NAME(),
......@@ -406,27 +406,27 @@ MockZoneFinder::find(const Name& name, const RRType& type,
// hardcoded specific cases, ignoring other details such as canceling
// due to the existence of closer name.
if ((options & NO_WILDCARD) == 0) {
const Name wild_suffix(name.split(1));
if (name.equals(Name("www.wild.example.com"))||
name.equals(Name("www1.uwild.example.com"))) {
if (name.compare(wild_suffix).getRelation() ==
NameComparisonResult::SUBDOMAIN) {
domain = domains_.find(Name("*").concatenate(wild_suffix));
assert(domain != domains_.end());
RRsetStore::const_iterator found_rrset = domain->second.find(type);
if (found_rrset != domain->second.end()) {
return (FindResult(WILDCARD,
const Name wild_suffix(name.split(1));
if (name.equals(Name("www.wild.example.com"))||
name.equals(Name("www1.uwild.example.com"))) {
if (name.compare(wild_suffix).getRelation() ==
NameComparisonResult::SUBDOMAIN) {
domain = domains_.find(Name("*").concatenate(wild_suffix));
assert(domain != domains_.end());
RRsetStore::const_iterator found_rrset = domain->second.find(type);
if (found_rrset != domain->second.end()) {
return (FindResult(WILDCARD,
substituteWild(*found_rrset->second, name)));
} else {
found_rrset = domain->second.find(RRType::NSEC());
assert(found_rrset != domain->second.end());
Name newName = Name("*").concatenate(wild_suffix);
return (FindResult(WILDCARD_NXRRSET,
substituteWild(*found_rrset->second,newName)));
}
}
}
} else {
found_rrset = domain->second.find(RRType::NSEC());
assert(found_rrset != domain->second.end());
Name newName = Name("*").concatenate(wild_suffix);
return (FindResult(WILDCARD_NXRRSET,
substituteWild(*found_rrset->second,newName)));
}
}
}
const Name cnamewild_suffix("cnamewild.example.com");
if (name.compare(cnamewild_suffix).getRelation() ==
NameComparisonResult::SUBDOMAIN) {
......@@ -946,8 +946,9 @@ TEST_F(QueryTest, badWildcardProof3) {
}
TEST_F(QueryTest, wildcardNxrrsetWithDuplicateNSEC) {
// NXRRSET with DNSSEC proof. We should have SOA, NSEC that proves the
// NXRRSET and their RRSIGs.
// WILDCARD_NXRRSET with DNSSEC proof. We should have SOA, NSEC that proves the
// NXRRSET and their RRSIGs. In this case we only need one NSEC,
// which proves both NXDOMAIN and the non existence RRSETs of wildcard.
Query(memory_client, Name("www.wild.example.com"), RRType::TXT(), response,
true).process();
......@@ -961,20 +962,21 @@ TEST_F(QueryTest, wildcardNxrrsetWithDuplicateNSEC) {
}
TEST_F(QueryTest, wildcardNxrrsetWithNSEC) {
// NXRRSET with DNSSEC proof. We should have SOA, NSEC that proves the
// NXRRSET and their RRSIGs.
// WILDCARD_NXRRSET with DNSSEC proof. We should have SOA, NSEC that proves the
// NXRRSET and their RRSIGs. In this case we need two NSEC RRs,
// one proves NXDOMAIN and the other proves non existence RRSETs of wildcard.
Query(memory_client, Name("www1.uwild.example.com"), RRType::TXT(), response,
true).process();
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 6, 0, NULL,
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 6, 0, NULL,
(string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
getCommonRRSIGText("SOA") + "\n" +
string(nsec_wild_txt_nxrrset) +
string("*.uwild.example.com. 3600 IN RRSIG ") +
getCommonRRSIGText("NSEC")+"\n" +
string(nsec_wild_txt_next) +
string("www.uwild.example.com. 3600 IN RRSIG ") +
getCommonRRSIGText("NSEC") + "\n").c_str(),
string(nsec_wild_txt_next) +
string("www.uwild.example.com. 3600 IN RRSIG ") +
getCommonRRSIGText("NSEC") + "\n").c_str(),
NULL, mock_finder->getOrigin());
}
/*
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment