Home Explore Help
Sign In
zorun
/
kea
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

[1307] added an NSEC to prove NXDOMAIN if necessary and possible.
this change is incomplete: we still need a wildcard proof.

JINMEI Tatuya 13 years ago
parent
1a4da963a4
commit
7e8b9cdec8
2 changed files with 25 additions and 1 deletions
Split View Show Diff Stats
  1. 8 1
      src/bin/auth/query.cc
  2. 17 0
      src/bin/auth/tests/query_unittest.cc

+ 8 - 1
src/bin/auth/query.cc
View File 

@@ -245,9 +245,16 @@ Query::process() const {
 
                 getAdditional(*result.zone_finder, *db_result.rrset);
 
                 break;
 
             case ZoneFinder::NXDOMAIN:
 
-                // Just empty answer with SOA in authority section
 
                 response_.setRcode(Rcode::NXDOMAIN());
 
                 putSOA(*result.zone_finder);
 
+
 
+                // If DNSSEC proof is requested and we've got it, add it.
 
+                if (dnssec_ && db_result.rrset) {
 
+                    response_.addRRset(
 
+                        Message::SECTION_AUTHORITY,
 
+                        boost::const_pointer_cast<RRset>(db_result.rrset),
 
+                        dnssec_);
 
+                }
 
                 break;
 
             case ZoneFinder::NXRRSET:
 
                 // Just empty answer with SOA in authority section

+ 17 - 0
src/bin/auth/tests/query_unittest.cc
View File 

@@ -95,6 +95,10 @@ const char* const other_zone_rrs =
 
 const char* const nsec_nxdomain_txt =
 
     "noglue.example.com. 3600 IN NSEC www.example.com. A\n";
 
 
+// A helper function that generates a textual representation of RRSIG RDATA
 
+// for the given covered type.  The resulting RRSIG may not necessarily make
 
+// sense in terms of the DNSSEC protocol, but for our testing purposes it's
 
+// okay.
 
 string
 
 getCommonRRSIGText(const string& type) {
 
     return (type +
 
@@ -525,6 +529,19 @@ TEST_F(QueryTest, nxdomain) {
 
                   NULL, soa_txt, NULL, mock_finder->getOrigin());
 
 }
 
 
+TEST_F(QueryTest, nxdomainWithNSEC) {
 
+    EXPECT_NO_THROW(Query(memory_client, Name("nxdomain.example.com"), qtype,
 
+                          response, true).process());
 
+    responseCheck(response, Rcode::NXDOMAIN(), AA_FLAG, 0, 4, 0,
 
+                  NULL, (string(soa_txt) +
 
+                         string("example.com. 3600 IN RRSIG ") +
 
+                         getCommonRRSIGText("SOA") + "\n" +
 
+                         string(nsec_nxdomain_txt) + "\n" +
 
+                         string("noglue.example.com. 3600 IN RRSIG ") +
 
+                         getCommonRRSIGText("NSEC")).c_str(),
 
+                  NULL, mock_finder->getOrigin());
 
+}
 
+
 
 TEST_F(QueryTest, nxrrset) {
 
     EXPECT_NO_THROW(Query(memory_client, Name("www.example.com"),
 
                           RRType::TXT(), response).process());