[1582] comments and dox

src/bin/auth/query.cc

@@ -248,7 +248,8 @@ Query::addNXRRsetProof(ZoneFinder& finder,
                                boost::const_pointer_cast<AbstractRRset>(
                                    result.closest_proof), dnssec_);
             // For qtype == DS, next_proof could be set
-            // (Do we want to double-check for opt-out here?)
+            // (We could check for opt-out here, but that's really the
+            // responsibility of the datasource)
             if (qtype_ds && result.next_proof != ConstRRsetPtr()) {
                 response_.addRRset(Message::SECTION_AUTHORITY,
                                    boost::const_pointer_cast<AbstractRRset>(

src/bin/auth/query.h

@@ -88,8 +88,9 @@ private:
 
     /// \brief Adds NSEC denial proof for the given NXRRset result
     ///
-    /// NSEC records, if available (signaled by isNSECSigned(), are added
-    /// to the authority section.
+    /// If available, NSEC or NSEC3 records are added to the authority
+    /// section (depending on whether isNSECSigned() or isNSEC3Signed()
+    /// returns true.
     ///
     /// \param finder The ZoneFinder that was used to search for the missing
     ///               data

src/bin/auth/tests/query_unittest.cc

@@ -1699,26 +1699,32 @@ TEST_F(QueryTest, nxrrsetMissingNSEC3) {
                        response, true).process(), Query::BadNSEC3);
 }
 
-// Check the exact matching NSEC3 is returned for NXRRSET and qtype DS
 TEST_F(QueryTest, nxrrsetWithNSEC3_ds_exact) {
     mock_finder->setNSEC3Flag(true);
 
+    // This delegation has no DS, but does have a matching NSEC3 record
+    // (See RFC5155 section 7.2.4)
     Query(memory_client, Name("unsigned-delegation.example.com."),
           RRType::DS(), response, true).process();
     responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 4, 0, NULL,
                   (string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
                    getCommonRRSIGText("SOA") + "\n" +
                    string(unsigned_delegation_nsec3_txt) + "\n" +
-                   mock_finder->hash_map_[Name("unsigned-delegation.example.com.")] +
+                   mock_finder->
+                        hash_map_[Name("unsigned-delegation.example.com.")] +
                    ".example.com. 3600 IN RRSIG " +
                    getCommonRRSIGText("NSEC3") + "\n").c_str(),
                   NULL, mock_finder->getOrigin());
 }
 
-// Check the signature is present when an NXRRSET is returned and qtype is DS
 TEST_F(QueryTest, nxrrsetWithNSEC3_ds_no_exact) {
     mock_finder->setNSEC3Flag(true);
 
+    // This delegation has no DS, and no directly matching NSEC3 record
+    // So the response should contain closest encloser proof (and the
+    // 'next closer' should have opt-out set, though that is not
+    // actually checked)
+    // (See RFC5155 section 7.2.4)
     Query(memory_client, Name("unsigned-delegation-optout.example.com."),
           RRType::DS(), response, true).process();
     responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 6, 0, NULL,
@@ -1729,13 +1735,13 @@ TEST_F(QueryTest, nxrrsetWithNSEC3_ds_no_exact) {
                    ".example.com. 3600 IN RRSIG " +
                    getCommonRRSIGText("NSEC3") + "\n" +
                    string(unsigned_delegation_nsec3_txt) + "\n" +
-                   mock_finder->hash_map_[Name("unsigned-delegation.example.com.")] +
+                   mock_finder->
+                        hash_map_[Name("unsigned-delegation.example.com.")] +
                    ".example.com. 3600 IN RRSIG " +
                    getCommonRRSIGText("NSEC3") + "\n").c_str(),
                   NULL, mock_finder->getOrigin());
 }
 
-
 // The following are tentative tests until we really add tests for the
 // query logic for these cases.  At that point it's probably better to
 // clean them up.