|
|
@@ -1358,6 +1358,74 @@ TEST_F(InMemoryZoneFinderTest, findNSEC3ForBadZone) {
|
|
|
DataSourceError);
|
|
|
}
|
|
|
|
|
|
+TEST_F(InMemoryZoneFinderTest, findOrphanRRSIG) {
|
|
|
+ // Make the zone "NSEC signed"
|
|
|
+ addToZoneData(rr_nsec_);
|
|
|
+ const ZoneFinder::FindResultFlags expected_flags =
|
|
|
+ ZoneFinder::RESULT_NSEC_SIGNED;
|
|
|
+
|
|
|
+ // Add A for ns.example.org, and RRSIG-only covering TXT for the same name.
|
|
|
+ // query for the TXT should result in NXRRSET.
|
|
|
+ addToZoneData(rr_ns_a_);
|
|
|
+ updater_.add(ConstRRsetPtr(),
|
|
|
+ textToRRset(
|
|
|
+ "ns.example.org. 300 IN RRSIG TXT 5 3 300 20120814220826 "
|
|
|
+ "20120715220826 1234 example.com. FAKE"));
|
|
|
+ findTest(Name("ns.example.org"), RRType::TXT(),
|
|
|
+ ZoneFinder::NXRRSET, true, ConstRRsetPtr(), expected_flags);
|
|
|
+
|
|
|
+ // Add RRSIG-only covering NSEC. This shouldn't be returned when NSEC is
|
|
|
+ // requested, whether it's for NXRRSET or NXDOMAIN
|
|
|
+ updater_.add(ConstRRsetPtr(),
|
|
|
+ textToRRset(
|
|
|
+ "ns.example.org. 300 IN RRSIG NSEC 5 3 300 "
|
|
|
+ "20120814220826 20120715220826 1234 example.com. FAKE"));
|
|
|
+ // The added RRSIG for NSEC could be used for NXRRSET but shouldn't
|
|
|
+ findTest(Name("ns.example.org"), RRType::TXT(),
|
|
|
+ ZoneFinder::NXRRSET, true, ConstRRsetPtr(),
|
|
|
+ expected_flags, NULL, ZoneFinder::FIND_DNSSEC);
|
|
|
+ // The added RRSIG for NSEC could be used for NXDOMAIN but shouldn't
|
|
|
+ findTest(Name("nz.example.org"), RRType::A(),
|
|
|
+ ZoneFinder::NXDOMAIN, true, rr_nsec_,
|
|
|
+ expected_flags, NULL, ZoneFinder::FIND_DNSSEC);
|
|
|
+
|
|
|
+ // RRSIG-only CNAME shouldn't be accidentally confused with real CNAME.
|
|
|
+ updater_.add(ConstRRsetPtr(),
|
|
|
+ textToRRset(
|
|
|
+ "nocname.example.org. 300 IN RRSIG CNAME 5 3 300 "
|
|
|
+ "20120814220826 20120715220826 1234 example.com. FAKE"));
|
|
|
+ findTest(Name("nocname.example.org"), RRType::A(),
|
|
|
+ ZoneFinder::NXRRSET, true, ConstRRsetPtr(), expected_flags);
|
|
|
+
|
|
|
+ // RRSIG-only for NS wouldn't invoke delegation anyway, but we check this
|
|
|
+ // case explicitly.
|
|
|
+ updater_.add(ConstRRsetPtr(),
|
|
|
+ textToRRset(
|
|
|
+ "nodelegation.example.org. 300 IN RRSIG NS 5 3 300 "
|
|
|
+ "20120814220826 20120715220826 1234 example.com. FAKE"));
|
|
|
+ findTest(Name("nodelegation.example.org"), RRType::A(),
|
|
|
+ ZoneFinder::NXRRSET, true, ConstRRsetPtr(), expected_flags);
|
|
|
+ findTest(Name("www.nodelegation.example.org"), RRType::A(),
|
|
|
+ ZoneFinder::NXDOMAIN, true, ConstRRsetPtr(), expected_flags);
|
|
|
+
|
|
|
+ // Same for RRSIG-only for DNAME
|
|
|
+ updater_.add(ConstRRsetPtr(),
|
|
|
+ textToRRset(
|
|
|
+ "nodname.example.org. 300 IN RRSIG DNAME 5 3 300 "
|
|
|
+ "20120814220826 20120715220826 1234 example.com. FAKE"));
|
|
|
+ findTest(Name("www.nodname.example.org"), RRType::A(),
|
|
|
+ ZoneFinder::NXDOMAIN, true, ConstRRsetPtr(), expected_flags);
|
|
|
+ // If we have a delegation NS at this node, it will be a bit trickier,
|
|
|
+ // because the zonecut processing actually takes place at the node.
|
|
|
+ // But the RRSIG-only for DNAME shouldn't confuse the process and the NS
|
|
|
+ // should win.
|
|
|
+ ConstRRsetPtr ns_rrset =
|
|
|
+ textToRRset("nodname.example.org. 300 IN NS ns.nodname.example.org.");
|
|
|
+ addToZoneData(ns_rrset);
|
|
|
+ findTest(Name("www.nodname.example.org"), RRType::A(),
|
|
|
+ ZoneFinder::DELEGATION, true, ns_rrset);
|
|
|
+}
|
|
|
+
|
|
|
/// \brief NSEC3 specific tests fixture for the InMemoryZoneFinder class
|
|
|
class InMemoryZoneFinderNSEC3Test : public InMemoryZoneFinderTest {
|
|
|
public:
|
JINMEI Tatuya