Browse Source

construct name as next closer+closest encloser, and then invoke findNSEC3 to confirm its non-exist

zhanghk 13 years ago
parent
commit
77ceb4384e
1 changed files with 36 additions and 43 deletions
  1. 36 43
      src/bin/auth/query.cc

+ 36 - 43
src/bin/auth/query.cc

@@ -169,50 +169,43 @@ Query::addNXDOMAINProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
 
 void
 Query::addWildcardProof(ZoneFinder& finder,
-			const ZoneFinder::FindResult& db_result) 
+		const ZoneFinder::FindResult& db_result) 
 {
-    // The query name shouldn't exist in the zone if there were no wildcard
-    // substitution.  Confirm that by specifying NO_WILDCARD.  It should result
-    // in NXDOMAIN and an NSEC RR that proves it should be returned.
-    if(db_result.isNSECSigned() && db_result.isWildcard()){
-    const ZoneFinder::FindResult fresult =
-        finder.find(qname_, RRType::NSEC(),
-                    dnssec_opt_ | ZoneFinder::NO_WILDCARD);
-    if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
-        fresult.rrset->getRdataCount() == 0) {
-        isc_throw(BadNSEC, "Unexpected NSEC result for wildcard proof");
-    }
-    response_.addRRset(Message::SECTION_AUTHORITY,
-                       boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
-                       dnssec_);
-    }else if(db_result.isNSEC3Signed() && db_result.isWildcard()){
-	// case for RFC5155 Section 7.2.6
-	const ZoneFinder::FindNSEC3Result NSEC3Result(finder.findNSEC3(qname_,
-                                                                  true));
-	/*
-	if (NSEC3Result.code != ZoneFinder::NXDOMAIN || !NSEC3Result.rrset ||
-            NSEC3Result.rrset->getRdataCount() == 0) {
-        	isc_throw(BadNSEC3, "Unexpected NSEC3 result for wildcard proof");
-    	}
-	*/
-	response_.addRRset(Message::SECTION_AUTHORITY,
-                           boost::const_pointer_cast<AbstractRRset>(
-                               NSEC3Result.next_proof), dnssec_);
-	const Name wname = Name("*").concatenate(
-            qname_.split(qname_.getLabelCount() - NSEC3Result.closest_labels));
-        const ZoneFinder::FindNSEC3Result wresult(finder.findNSEC3(wname,
-                                                                   false));
-        if (wresult.matched) {
-            response_.addRRset(Message::SECTION_AUTHORITY,
-                               boost::const_pointer_cast<AbstractRRset>(
-                                   wresult.closest_proof), dnssec_);
-        } else {
-            isc_throw(BadNSEC3, "No matching NSEC3 found for existing domain "
-                      << wname);
-         }
-		
-    }
-    
+	// The query name shouldn't exist in the zone if there were no wildcard
+	// substitution.  Confirm that by specifying NO_WILDCARD.  It should result
+	// in NXDOMAIN and an NSEC RR that proves it should be returned.
+	if(db_result.isNSECSigned() && db_result.isWildcard()){
+		const ZoneFinder::FindResult fresult =
+			finder.find(qname_, RRType::NSEC(),
+					dnssec_opt_ | ZoneFinder::NO_WILDCARD);
+		if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
+				fresult.rrset->getRdataCount() == 0) {
+			isc_throw(BadNSEC, "Unexpected NSEC result for wildcard proof");
+		}
+		response_.addRRset(Message::SECTION_AUTHORITY,
+				boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
+				dnssec_);
+	}else if(db_result.isNSEC3Signed() && db_result.isWildcard()){
+		// case for RFC5155 Section 7.2.6
+		const ZoneFinder::FindNSEC3Result NSEC3Result(finder.findNSEC3(qname_,
+					true));
+		if (NULL == NSEC3Result.next_proof){ 
+			isc_throw(BadNSEC3, "Unexpected NSEC3 result for wildcard proof");
+		}
+		response_.addRRset(Message::SECTION_AUTHORITY,
+				boost::const_pointer_cast<AbstractRRset>(
+					NSEC3Result.next_proof), dnssec_);
+		const Name wname = 
+			qname_.split(qname_.getLabelCount() - NSEC3Result.closest_labels - 1);
+		const ZoneFinder::FindNSEC3Result wresult(finder.findNSEC3(wname,
+					false));
+		if (wresult.matched) {
+			isc_throw(BadNSEC3, "Unexpected NSEC3 found for existing domain "
+					<< wname);
+		}
+
+	}
+
 }
 
 void