Accueil Explorer Aide
Connexion
zorun
/
kea
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

[1580] handled one missing case: run time collision due to having matching
NSEC3 for the wildcard.

JINMEI Tatuya il y a 13 ans
Parent
e7b760a474
commit
7de090b9c3
2 fichiers modifiés avec 24 ajouts et 2 suppressions
Vue séparée Afficher les stats Diff
  1. 4 0
      src/bin/auth/query.cc
  2. 20 2
      src/bin/auth/tests/query_unittest.cc

+ 4 - 0
src/bin/auth/query.cc
Voir le fichier 

@@ -191,6 +191,10 @@ Query::addNSEC3NXDOMAINProof(ZoneFinder& finder) {
 
                             fresult1.closest_labels)));
 
     const ZoneFinder::FindNSEC3Result fresult2 =
 
         finder.findNSEC3(wildname, false);
 
+    if (fresult2.matched) {
 
+        isc_throw(BadNSEC3, "Matching NSEC3 found for nonexistent domain "
 
+                  << wildname);
 
+    }
 
     response_.addRRset(Message::SECTION_AUTHORITY,
 
                        boost::const_pointer_cast<AbstractRRset>(
 
                            fresult2.closest_proof),

+ 20 - 2
src/bin/auth/tests/query_unittest.cc
Voir le fichier 

@@ -2159,8 +2159,7 @@ TEST_F(QueryTest, nxdomainWithNSEC3Proof) {
 
     mock_finder->addRecord(unsigned_delegation_nsec3_txt);
 
 
     Query(memory_client, Name("nxdomain.example.com"), qtype,
 
-              response, true).process();
 
-    cout << response << endl;
 
+          response, true).process();
 
     responseCheck(response, Rcode::NXDOMAIN(), AA_FLAG, 0, 8, 0, NULL,
 
                   // SOA + its RRSIG
 
                   (string(soa_txt) +
 
@@ -2200,6 +2199,25 @@ TEST_F(QueryTest, nxdomainWithBadNextNSEC3Proof) {
 
                  isc::InvalidParameter);
 
 }
 
 
+TEST_F(QueryTest, nxdomainWithBadWildcardNSEC3Proof) {
 
+    // Similar to nxdomainWithNSEC3Proof, but let findNSEC3() return a matching
 
+    // NSEC3 for the possible wildcard name, emulating run-time collision.
 
+    // This should result in BadNSEC3 exception.
 
+
 
+    mock_finder->setNSEC3Flag(true);
 
+    mock_finder->addRecord(nsec3_uwild_txt);
 
+    mock_finder->addRecord(unsigned_delegation_nsec3_txt);
 
+
 
+    const Name wname("*.example.com");
 
+    ZoneFinder::FindNSEC3Result nsec3(true, 0, textToRRset(nsec3_apex_txt),
 
+                                      ConstRRsetPtr());
 
+    mock_finder->setNSEC3Result(&nsec3, &wname);
 
+
 
+    EXPECT_THROW(Query(memory_client, Name("nxdomain.example.com"), qtype,
 
+                       response, true).process(),
 
+                 Query::BadNSEC3);
 
+}
 
+
 
 // The following are tentative tests until we really add tests for the
 
 // query logic for these cases.  At that point it's probably better to
 
 // clean them up.