Home Explore Help
Sign In
zorun
/
kea
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

[1805] completed implementation of getClosestNSEC().

for tests, we use some of the NXDOMAIN cases (part of #1809)
JINMEI Tatuya 13 years ago
parent
153b142c0e
commit
1322f10b28
2 changed files with 84 additions and 7 deletions
Unified View Show Diff Stats
  1. 51 1
      src/lib/datasrc/memory_datasrc.cc
  2. 33 6
      src/lib/datasrc/tests/memory_datasrc_unittest.cc

+ 51 - 1
src/lib/datasrc/memory_datasrc.cc
View File 

@@ -212,12 +212,61 @@ public:
 
 
 
     // Identify the RBTree node that best matches the given name.
 
     // Identify the RBTree node that best matches the given name.
 
     // See implementation notes below.
 
     // See implementation notes below.
 
+    // The caller should pass an empty node_path, and it will contain the
 
+    // search context for possible later use at the caller side.
 
     template <typename ResultType>
 
     template <typename ResultType>
 
     ResultType findNode(const Name& name,
 
     ResultType findNode(const Name& name,
 
                         RBTreeNodeChain<Domain>& node_path,
 
                         RBTreeNodeChain<Domain>& node_path,
 
                         ZoneFinder::FindOptions options) const;
 
                         ZoneFinder::FindOptions options) const;
 
+
 
+private:
 
+    // A helper method for NSEC-signed zones.  It searches the zone for
 
+    // the "closest" NSEC corresponding to the search context stored in
 
+    // node_path (it should contain sufficient information to identify the
 
+    // previous name of the query name in the zone).  In some cases the
 
+    // immediate closest name may not have NSEC (when it's under a zone cut
 
+    // for glue records, or even when the zone is partly broken), so this
 
+    // method continues the search until it finds a name that has NSEC,
 
+    // and returns the one found first.  Due to the prerequisite (see below),
 
+    // it should always succeed.
 
+    //
 
+    // node_path must store valid search context (in practice, it's expected
 
+    // to be set by findNode()); otherwise the underlying RBTree implementation
 
+    // throws.
 
+    //
 
+    // If the zone is not considered NSEC-signed or DNSSEC records were not
 
+    // required in the original search context (specified in options), this
 
+    // method doesn't bother to find NSEC, and simply returns NULL.  So, by
 
+    // definition of "NSEC-signed", when it really tries to find an NSEC it
 
+    // should succeed; there should be one at least at the zone origin.
 
+    ConstRBNodeRRsetPtr
 
+    getClosestNSEC(RBTreeNodeChain<Domain>& node_path,
 
+                   ZoneFinder::FindOptions options) const;
 
 };
 
 };
 
 
 
+ConstRBNodeRRsetPtr
 
+ZoneData::getClosestNSEC(RBTreeNodeChain<Domain>& node_path,
 
+                         ZoneFinder::FindOptions options) const
 
+{
 
+    if ((options & ZoneFinder::FIND_DNSSEC) == 0 || !nsec_signed_) {
 
+        return (ConstRBNodeRRsetPtr());
 
+    }
 
+
 
+    const DomainNode* prev_node;
 
+    while ((prev_node = domains_.previousNode(node_path)) != NULL) {
 
+        if (!prev_node->isEmpty()) {
 
+            const Domain::const_iterator found =
 
+                prev_node->getData()->find(RRType::NSEC());
 
+            if (found != prev_node->getData()->end()) {
 
+                return (found->second);
 
+            }
 
+        }
 
+    }
 
+    // This must be impossible and should be an internal bug.
 
+    // See the description at the method declaration.
 
+    assert(false);
 
+}
 
+
 
 /// Maintain intermediate data specific to the search context used in
 
 /// Maintain intermediate data specific to the search context used in
 
 /// \c find().
 
 /// \c find().
 
 ///
 
 ///
 
@@ -420,7 +469,8 @@ ZoneData::findNode(const Name& name, RBTreeNodeChain<Domain>& node_path,
 
         }
 
         }
 
         // Nothing really matched.
 
         // Nothing really matched.
 
         LOG_DEBUG(logger, DBG_TRACE_DATA, DATASRC_MEM_NOT_FOUND).arg(name);
 
         LOG_DEBUG(logger, DBG_TRACE_DATA, DATASRC_MEM_NOT_FOUND).arg(name);
 
-        return (ResultType(ZoneFinder::NXDOMAIN, node, state.rrset_));
 
+        return (ResultType(ZoneFinder::NXDOMAIN, node,
 
+                           getClosestNSEC(node_path, options)));
 
     } else {
 
     } else {
 
         // If the name is neither an exact or partial match, it is
 
         // If the name is neither an exact or partial match, it is
 
         // out of bailiwick, which is considered an error.
 
         // out of bailiwick, which is considered an error.

+ 33 - 6
src/lib/datasrc/tests/memory_datasrc_unittest.cc
View File 

@@ -1002,9 +1002,27 @@ InMemoryZoneFinderTest::findCheck(ZoneFinder::FindResultFlags expected_flags) {
 
     findTest(rr_ns_a_->getName(), RRType::NS(), ZoneFinder::NXRRSET, true,
 
     findTest(rr_ns_a_->getName(), RRType::NS(), ZoneFinder::NXRRSET, true,
 
              ConstRRsetPtr(), expected_flags);
 
              ConstRRsetPtr(), expected_flags);
 
 
 
-    // These domains don't exist (and one is out of the zone)
 
+    // These domains don't exist. (and one is out of the zone).  In an
 
-    findTest(Name("nothere.example.org"), RRType::A(), ZoneFinder::NXDOMAIN,
 
+    // NSEC-signed zone, it should return the covering NSEC for the query
 
-             true, ConstRRsetPtr(), expected_flags);
 
+    // name (the actual NSEC in the test data may not really "cover" it,
 
+    // but for the purpose of this test it's okay).
 
+    if ((expected_flags & ZoneFinder::RESULT_NSEC_SIGNED) != 0) {
 
+        // There's no other name between this one and the origin, so it
 
+        // should return the origin NSEC.
 
+        findTest(Name("nothere.example.org"), RRType::A(),
 
+                 ZoneFinder::NXDOMAIN, true, rr_nsec_, expected_flags,
 
+                 NULL, ZoneFinder::FIND_DNSSEC);
 
+
 
+        // The previous name in the zone is "ns.example.org", but it doesn't
 
+        // have an NSEC.  It should be skipped and the origin NSEC will be
 
+        // returned as the "closest NSEC".
 
+        findTest(Name("nxdomain.example.org"), RRType::A(),
 
+                 ZoneFinder::NXDOMAIN, true, rr_nsec_, expected_flags,
 
+                 NULL, ZoneFinder::FIND_DNSSEC);
 
+    } else {
 
+        findTest(Name("nothere.example.org"), RRType::A(),
 
+                 ZoneFinder::NXDOMAIN, true, ConstRRsetPtr(), expected_flags);
 
+    }
 
     EXPECT_THROW(zone_finder_.find(Name("example.net"), RRType::A()),
 
     EXPECT_THROW(zone_finder_.find(Name("example.net"), RRType::A()),
 
                  OutOfZone);
 
                  OutOfZone);
 
 }
 
 }
 
@@ -1271,9 +1289,18 @@ InMemoryZoneFinderTest::wildcardCheck(
 
     EXPECT_EQ(SUCCESS, zone_finder_.add(rr_under_wild_));
 
     EXPECT_EQ(SUCCESS, zone_finder_.add(rr_under_wild_));
 
     {
 
     {
 
         SCOPED_TRACE("Search under non-wildcard");
 
         SCOPED_TRACE("Search under non-wildcard");
 
-        findTest(Name("bar.foo.wild.example.org"), RRType::A(),
 
+        if ((expected_flags & ZoneFinder::RESULT_NSEC_SIGNED) != 0) {
 
-                 ZoneFinder::NXDOMAIN, true, ConstRRsetPtr(), expected_flags,
 
+            // For the test setup of "nsec-signed" zone, there's actually
 
-                 NULL, find_options);
 
+            // only one NSEC; the one at the apex.  So find() will return it
 
+            // as the covering NSEC.
 
+            findTest(Name("bar.foo.wild.example.org"), RRType::A(),
 
+                     ZoneFinder::NXDOMAIN, true, rr_nsec_, expected_flags,
 
+                     NULL, find_options);
 
+        } else {
 
+            findTest(Name("bar.foo.wild.example.org"), RRType::A(),
 
+                     ZoneFinder::NXDOMAIN, true, ConstRRsetPtr(),
 
+                     expected_flags, NULL, find_options);
 
+        }
 
     }
 
     }
 
 }
 
 }