[1584review] Merge branch 'trac1584' into trac1584review

src/bin/auth/query.cc

@@ -168,20 +168,46 @@ Query::addNXDOMAINProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
 }
 
 void
-Query::addWildcardProof(ZoneFinder& finder) {
-    // The query name shouldn't exist in the zone if there were no wildcard
-    // substitution.  Confirm that by specifying NO_WILDCARD.  It should result
-    // in NXDOMAIN and an NSEC RR that proves it should be returned.
-    const ZoneFinder::FindResult fresult =
-        finder.find(qname_, RRType::NSEC(),
-                    dnssec_opt_ | ZoneFinder::NO_WILDCARD);
-    if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
-        fresult.rrset->getRdataCount() == 0) {
-        isc_throw(BadNSEC, "Unexpected result for wildcard proof");
-    }
-    response_.addRRset(Message::SECTION_AUTHORITY,
-                       boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
-                       dnssec_);
+Query::addWildcardProof(ZoneFinder& finder,
+                        const ZoneFinder::FindResult& db_result)
+{
+	// The query name shouldn't exist in the zone if there were no wildcard
+	// substitution.  Confirm that by specifying NO_WILDCARD.  It should result
+	// in NXDOMAIN and an NSEC RR that proves it should be returned.
+	if (db_result.isNSECSigned() && db_result.isWildcard()){
+		const ZoneFinder::FindResult fresult =
+                    finder.find(qname_, RRType::NSEC(),
+                                dnssec_opt_ | ZoneFinder::NO_WILDCARD);
+		if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
+                    fresult.rrset->getRdataCount() == 0) {
+                    isc_throw(BadNSEC,
+                              "Unexpected NSEC result for wildcard proof");
+		}
+		response_.addRRset(Message::SECTION_AUTHORITY,
+                                   boost::const_pointer_cast<AbstractRRset>(
+                                       fresult.rrset),
+                                   dnssec_);
+	} else if (db_result.isNSEC3Signed() && db_result.isWildcard()) {
+            // case for RFC5155 Section 7.2.6
+            const ZoneFinder::FindNSEC3Result NSEC3Result(
+                finder.findNSEC3(qname_, true));
+		if (NULL == NSEC3Result.next_proof) {
+			isc_throw(BadNSEC3, "Unexpected NSEC3 "
+                                  "result for wildcard proof");
+		}
+		response_.addRRset(Message::SECTION_AUTHORITY,
+                                   boost::const_pointer_cast<AbstractRRset>(
+                                       NSEC3Result.next_proof), dnssec_);
+		const Name wname =
+                    qname_.split(qname_.getLabelCount() -
+                                 NSEC3Result.closest_labels - 1);
+		const ZoneFinder::FindNSEC3Result wresult(
+                    finder.findNSEC3(wname, false));
+		if (wresult.matched) {
+			isc_throw(BadNSEC3, "Unexpected NSEC3 "
+                                  "found for existing domain " << wname);
+		}
+	}
 }
 
 void
@@ -448,7 +474,7 @@ Query::process() {
             // If the answer is a result of wildcard substitution,
             // add a proof that there's no closer name.
             if (dnssec_ && db_result.isWildcard()) {
-                addWildcardProof(*result.zone_finder);
+                addWildcardProof(*result.zone_finder,db_result);
             }
             break;
         case ZoneFinder::SUCCESS:
@@ -482,7 +508,7 @@ Query::process() {
             // If the answer is a result of wildcard substitution,
             // add a proof that there's no closer name.
             if (dnssec_ && db_result.isWildcard()) {
-                addWildcardProof(*result.zone_finder);
+                addWildcardProof(*result.zone_finder,db_result);
             }
             break;
         case ZoneFinder::DELEGATION:

src/bin/auth/query.h

@@ -107,7 +107,9 @@ private:
     /// Add NSEC RRs that prove a wildcard answer is the best one.
     ///
     /// This corresponds to Section 3.1.3.3 of RFC 4035.
-    void addWildcardProof(isc::datasrc::ZoneFinder& finder);
+    void addWildcardProof(
+        isc::datasrc::ZoneFinder& finder,
+        const isc::datasrc::ZoneFinder::FindResult& dbResult);
 
     /// \brief Adds one NSEC RR proved no matched QNAME,one NSEC RR proved no
     /// matched <QNAME,QTYPE> through wildcard extension.