Fix closest encloser proof for wildcard nodata answers.

Add some tests to make sure I won't break this again...
PowerDNS · Nov 21, 2013 · cd30e94 · cd30e94
1 parent 213ec4a
commit cd30e94
Show file tree

Hide file tree

Showing 13 changed files with 68 additions and 2 deletions.
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
@@ -589,11 +589,13 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
   // cerr<<"salt in ph: '"<<makeHexDump(ns3rc.d_salt)<<"', narrow="<<narrow<<endl;
 
   string unhashed, hashed, before, after;
-  string closest=(mode == 3 || mode == 4) ? wildcard : target;
+  string closest;
 
   if (mode == 2 || mode == 3 || mode == 4) {
+    closest=wildcard;
     chopOff(closest);
-  }
+  } else
+    closest=target;
 
   if (mode == 1) {
     DNSResourceRecord rr;

diff --git a/regression-tests/nsecx-mode2-wildcard-nodata/command b/regression-tests/nsecx-mode2-wildcard-nodata/command
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cleandig second.first.something.wtest.com TXT dnssec
diff --git a/regression-tests/nsecx-mode2-wildcard-nodata/description b/regression-tests/nsecx-mode2-wildcard-nodata/description
@@ -0,0 +1 @@
+Check NSECx response for wildcards no data asnwers (mode 2)
diff --git a/regression-tests/nsecx-mode2-wildcard-nodata/expected_result b/regression-tests/nsecx-mode2-wildcard-nodata/expected_result
@@ -0,0 +1,9 @@
+1	*.something.wtest.com.	IN	NSEC	86400	a.something.wtest.com. A RRSIG NSEC
+1	*.something.wtest.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	a.something.wtest.com.	IN	NSEC	86400	wtest.com. A RRSIG NSEC
+1	a.something.wtest.com.	IN	RRSIG	86400	NSEC 8 4 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	wtest.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	wtest.com.	IN	SOA	3600	ns1.wtest.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='second.first.something.wtest.com.', qtype=TXT
diff --git a/regression-tests/nsecx-mode2-wildcard-nodata/expected_result.narrow b/regression-tests/nsecx-mode2-wildcard-nodata/expected_result.narrow
@@ -0,0 +1,11 @@
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	d0rjlf3tful8jfjk86vi5ce50nuea9a6.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd D0RJLF3TFUL8JFJK86VI5CE50NUEA9A8
+1	d0rjlf3tful8jfjk86vi5ce50nuea9a6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd PD15QDSJJBFOSU5FG2OQRNLB8R8OIFL7 A RRSIG
+1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	wtest.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	wtest.com.	IN	SOA	3600	ns1.wtest.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='second.first.something.wtest.com.', qtype=TXT
diff --git a/regression-tests/nsecx-mode2-wildcard-nodata/expected_result.nsec3 b/regression-tests/nsecx-mode2-wildcard-nodata/expected_result.nsec3
@@ -0,0 +1,11 @@
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	cv382m4jqhle9u45mdqfh64vp0jbfpn5.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd J02K7MH36PLGFKRS6UTOCESCCQ5P7EOB A RRSIG
+1	cv382m4jqhle9u45mdqfh64vp0jbfpn5.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
+1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	wtest.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	wtest.com.	IN	SOA	3600	ns1.wtest.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='second.first.something.wtest.com.', qtype=TXT
diff --git a/regression-tests/nsecx-mode2-wildcard-nodata/skip.nodnssec b/regression-tests/nsecx-mode2-wildcard-nodata/skip.nodnssec
diff --git a/regression-tests/nsecx-mode3-wildcard/command b/regression-tests/nsecx-mode3-wildcard/command
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cleandig second.first.something.wtest.com A dnssec
diff --git a/regression-tests/nsecx-mode3-wildcard/description b/regression-tests/nsecx-mode3-wildcard/description
@@ -0,0 +1 @@
+Check NSECx response for wildcard asnwers (mode 3)
diff --git a/regression-tests/nsecx-mode3-wildcard/expected_result b/regression-tests/nsecx-mode3-wildcard/expected_result
@@ -0,0 +1,7 @@
+0	second.first.something.wtest.com.	IN	A	3600	4.3.2.1
+0	second.first.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	a.something.wtest.com.	IN	NSEC	86400	wtest.com. A RRSIG NSEC
+1	a.something.wtest.com.	IN	RRSIG	86400	NSEC 8 4 86400 [expiry] [inception] [keytag] wtest.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='second.first.something.wtest.com.', qtype=A
diff --git a/regression-tests/nsecx-mode3-wildcard/expected_result.narrow b/regression-tests/nsecx-mode3-wildcard/expected_result.narrow
@@ -0,0 +1,9 @@
+0	second.first.something.wtest.com.	IN	A	3600	4.3.2.1
+0	second.first.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	d0rjlf3tful8jfjk86vi5ce50nuea9a6.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd D0RJLF3TFUL8JFJK86VI5CE50NUEA9A8
+1	d0rjlf3tful8jfjk86vi5ce50nuea9a6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='second.first.something.wtest.com.', qtype=A
diff --git a/regression-tests/nsecx-mode3-wildcard/expected_result.nsec3 b/regression-tests/nsecx-mode3-wildcard/expected_result.nsec3
@@ -0,0 +1,9 @@
+0	second.first.something.wtest.com.	IN	A	3600	4.3.2.1
+0	second.first.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	cv382m4jqhle9u45mdqfh64vp0jbfpn5.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd J02K7MH36PLGFKRS6UTOCESCCQ5P7EOB A RRSIG
+1	cv382m4jqhle9u45mdqfh64vp0jbfpn5.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='second.first.something.wtest.com.', qtype=A
diff --git a/regression-tests/nsecx-mode3-wildcard/skip.nodnssec b/regression-tests/nsecx-mode3-wildcard/skip.nodnssec