Browse Source

[1307] added an NSEC to prove NXDOMAIN if necessary and possible.
this change is incomplete: we still need a wildcard proof.

JINMEI Tatuya 13 years ago
parent
commit
7e8b9cdec8
2 changed files with 25 additions and 1 deletions
  1. 8 1
      src/bin/auth/query.cc
  2. 17 0
      src/bin/auth/tests/query_unittest.cc

+ 8 - 1
src/bin/auth/query.cc

@@ -245,9 +245,16 @@ Query::process() const {
                 getAdditional(*result.zone_finder, *db_result.rrset);
                 break;
             case ZoneFinder::NXDOMAIN:
-                // Just empty answer with SOA in authority section
                 response_.setRcode(Rcode::NXDOMAIN());
                 putSOA(*result.zone_finder);
+
+                // If DNSSEC proof is requested and we've got it, add it.
+                if (dnssec_ && db_result.rrset) {
+                    response_.addRRset(
+                        Message::SECTION_AUTHORITY,
+                        boost::const_pointer_cast<RRset>(db_result.rrset),
+                        dnssec_);
+                }
                 break;
             case ZoneFinder::NXRRSET:
                 // Just empty answer with SOA in authority section

+ 17 - 0
src/bin/auth/tests/query_unittest.cc

@@ -95,6 +95,10 @@ const char* const other_zone_rrs =
 const char* const nsec_nxdomain_txt =
     "noglue.example.com. 3600 IN NSEC www.example.com. A\n";
 
+// A helper function that generates a textual representation of RRSIG RDATA
+// for the given covered type.  The resulting RRSIG may not necessarily make
+// sense in terms of the DNSSEC protocol, but for our testing purposes it's
+// okay.
 string
 getCommonRRSIGText(const string& type) {
     return (type +
@@ -525,6 +529,19 @@ TEST_F(QueryTest, nxdomain) {
                   NULL, soa_txt, NULL, mock_finder->getOrigin());
 }
 
+TEST_F(QueryTest, nxdomainWithNSEC) {
+    EXPECT_NO_THROW(Query(memory_client, Name("nxdomain.example.com"), qtype,
+                          response, true).process());
+    responseCheck(response, Rcode::NXDOMAIN(), AA_FLAG, 0, 4, 0,
+                  NULL, (string(soa_txt) +
+                         string("example.com. 3600 IN RRSIG ") +
+                         getCommonRRSIGText("SOA") + "\n" +
+                         string(nsec_nxdomain_txt) + "\n" +
+                         string("noglue.example.com. 3600 IN RRSIG ") +
+                         getCommonRRSIGText("NSEC")).c_str(),
+                  NULL, mock_finder->getOrigin());
+}
+
 TEST_F(QueryTest, nxrrset) {
     EXPECT_NO_THROW(Query(memory_client, Name("www.example.com"),
                           RRType::TXT(), response).process());