Browse Source

[1177] NSEC for NXDOMAIN

Just for the common one, though. Empty non-terminal and wildcards must
be solved yet.
Michal 'vorner' Vaner 13 years ago
parent
commit
f847a5e079
1 changed files with 30 additions and 2 deletions
  1. 30 2
      src/lib/datasrc/database.cc

+ 30 - 2
src/lib/datasrc/database.cc

@@ -326,6 +326,8 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
     // In case we are in GLUE_OK mode and start matching wildcards,
     // we can't do it under NS, so we store it here to check
     isc::dns::RRsetPtr first_ns;
+    // This is used at multiple places
+    static WantedTypes nsec_types(empty_types + RRType::NSEC());
 
     // First, do we have any kind of delegation (NS/DNAME) here?
     Name origin(getOrigin());
@@ -497,8 +499,8 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
                                     // However, we need to get the RRset in the
                                     // name of the wildcard, not the constructed
                                     // one, so we walk it again
-                                    found = getRRsets(wildcard, empty_types +
-                                                      RRType::NSEC(), true);
+                                    found = getRRsets(wildcard, nsec_types,
+                                                      true);
                                     result_rrset =
                                         found.second.find(RRType::NSEC())->
                                         second;
@@ -526,6 +528,32 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
                         break;
                     }
                 }
+                // This is the NXDOMAIN case (nothing found anywhere). If
+                // they wand DNSSEC data, try getting the NSEC record
+                if (dnssec_data && !records_found) {
+                    try {
+                        // Which one should contain the NSEC record?
+                        const Name coverName(findPreviousName(name));
+                        // Get the record and copy it out
+                        found = getRRsets(coverName, nsec_types, true);
+                        const FoundIterator
+                            nci(found.second.find(RRType::NSEC()));
+                        if (nci != found.second.end()) {
+                            result_status = NXDOMAIN;
+                            result_rrset = nci->second;
+                        } else {
+                            // The previous doesn't contain NSEC, bug?
+                            isc_throw(DataSourceError, "No NSEC in " +
+                                      coverName.toText() + ", but it was "
+                                      "returned as previous - "
+                                      "accessor error?");
+                        }
+                    }
+                    catch (const isc::NotImplemented&) {
+                        // Well, they want DNSSEC, but there is no available.
+                        // So we don't provide anything.
+                    }
+                }
             }
         } else if (dnssec_data) {
             // This is the "usual" NXRRSET case