Opened 8 years ago

Closed 8 years ago

#1349 closed defect (fixed)

Update "Authoritative Query Logic" design to support NSEC3

Reported by: kevin_tes Owned by: jiangchao
Priority: high Milestone: Sprint-20111122
Component: b10-auth Version:
Keywords: Cc:
CVSS Scoring: Parent Tickets:
Sensitive: no Defect Severity: Medium
Sub-Project: DNS Feature Depending on Ticket: 1178
Estimated Difficulty: 5 Add Hours to Ticket: 0
Total Hours: 0 Internal?: no

Description

#1178 is "NSEC3 support in new data source, we should also support the ability to include NSEC3 (and its RRSIG) for negative answers in DatabaseClient::Finder::find() and when the zone is expected to use NSEC3."

In order to finish this task,we should firstly update "Authoritative Query Logic" design to support NSEC3.

I think this task should be done in this sprint

Subtickets

Change History (9)

comment:1 Changed 8 years ago by kevin_tes

  • Defect Severity changed from N/A to Medium

comment:2 Changed 8 years ago by kevin_tes

  • Component changed from Unclassified to b10-auth

comment:3 Changed 8 years ago by kevin_tes

  • Owner set to kevin_tes
  • Status changed from new to accepted

comment:4 follow-up: Changed 8 years ago by kevin_tes

  • Status changed from accepted to reviewing

Add the Name Error,No data, Wildcard answer,Wildcard no data and referrals to unsigned subzone query logic for NSEC3.
The Wiki web page is at:

http://bind10.isc.org/wiki/AuthServerQueryLogic

comment:5 Changed 8 years ago by jiangchao

  • Owner changed from kevin_tes to jiangchao

comment:6 in reply to: ↑ 4 ; follow-up: Changed 8 years ago by jiangchao

Replying to kevin_tes:

Add the Name Error,No data, Wildcard answer,Wildcard no data and referrals to unsigned subzone query logic for NSEC3.
The Wiki web page is at:

http://bind10.isc.org/wiki/AuthServerQueryLogic

1:
if qtype is DS, search the available zones for the zone which is the nearest ancestor to QNAME's parent. for example, if qname is c.example.com and type is DS, search the zone which is the nearest ancestor of example.com.

2.c:
If we were looking up the original QNAME of the query, clear the AA bit in the reply. Place the NS records for the subzone into the authority section of the reply. check whether a DS record was found, if so, add ds and its signatures to authority secion, else if the zone is secured and support nsec, go to 2.c.Ⅰ;else if the zone is secured and support nsec3 goto 2.c.Ⅱ; else, go to setp7.
2.c.Ⅰ: add nsec rr(MUST be exist) and its signautre matching the delegation ns name to authority section.
2.c.Ⅱ: if the nsec3 rr matching the delegation ns name exists, add it and its signatures to authority section; else(no matching nsec3 rr), the delegated zone must be OPT-OUT, add covered nsec3 rr(opt-out flag must be set) and its signature to authority section.

3.b:
If an RRset matching QNAME/CNAME is found, add it and its signature to the answer section

3.c:
If ANY RRset matching QNAME is found, regardless of RRtype, if zone is secured, add matching nsec/nsec3 rrset and its signature to authority section. goto step 6.

3.d:
If any RRsets are found with a name which is a subdomain of QNAME, if the zone is secured by nsec, add nsec rr covering qname and its signature to authority section; if the zone is secured by nsec3, add nsec3 rr matching qname(must exist) to authority section. go to step 6.

4:
No match has been found. If zone is secure by NSEC, an covered NSEC RR proving that there is no exact match for QNAME,should add those to the authority section. if the zone is secured by nsec3, add nsec3 rr matching qname's closest enclosure name and nsec3 rr covering qname's next closer name and their signatures to authority section. then check wildcard match. search qname's wildcard name(add "*" to qname's closest enclosure name) and qtype: if found, modify the wildcard rrset name to qname and add it and its signature to answer section; if wildcard name found but no type match, add the nsec3 rr matching wildcard name and its signature to authority section; if wildcard name not found, add nsec3 rr covering wildcard name to authority section.

comment:7 in reply to: ↑ 6 Changed 8 years ago by kevin_tes

Replying to jiangchao:

Replying to kevin_tes:

Add the Name Error,No data, Wildcard answer,Wildcard no data and referrals to unsigned subzone query logic for NSEC3.
The Wiki web page is at:

http://bind10.isc.org/wiki/AuthServerQueryLogic

1:
if qtype is DS, search the available zones for the zone which is the nearest ancestor to QNAME's parent. for example, if qname is c.example.com and type is DS, search the zone which is the nearest ancestor of example.com.

I have add this case to the query logic.

2.c:
If we were looking up the original QNAME of the query, clear the AA bit in the reply. Place the NS records for the subzone into the authority section of the reply. check whether a DS record was found, if so, add ds and its signatures to authority secion, else if the zone is secured and support nsec, go to 2.c.Ⅰ;else if the zone is secured and support nsec3 goto 2.c.Ⅱ; else, go to setp7.
2.c.Ⅰ: add nsec rr(MUST be exist) and its signautre matching the delegation ns name to authority section.
2.c.Ⅱ: if the nsec3 rr matching the delegation ns name exists, add it and its signatures to authority section; else(no matching nsec3 rr), the delegated zone must be OPT-OUT, add covered nsec3 rr(opt-out flag must be set) and its signature to authority section.

3.b:
If an RRset matching QNAME/CNAME is found, add it and its signature to the answer section

3.c:
If ANY RRset matching QNAME is found, regardless of RRtype, if zone is secured, add matching nsec/nsec3 rrset and its signature to authority section. goto step 6.

3.d:
If any RRsets are found with a name which is a subdomain of QNAME, if the zone is secured by nsec, add nsec rr covering qname and its signature to authority section; if the zone is secured by nsec3, add nsec3 rr matching qname(must exist) to authority section. go to step 6.

4:
No match has been found. If zone is secure by NSEC, an covered NSEC RR proving that there is no exact match for QNAME,should add those to the authority section. if the zone is secured by nsec3, add nsec3 rr matching qname's closest enclosure name and nsec3 rr covering qname's next closer name and their signatures to authority section. then check wildcard match. search qname's wildcard name(add "*" to qname's closest enclosure name) and qtype: if found, modify the wildcard rrset name to qname and add it and its signature to answer section; if wildcard name found but no type match, add the nsec3 rr matching wildcard name and its signature to authority section; if wildcard name not found, add nsec3 rr covering wildcard name to authority section.

Accept!

comment:8 Changed 8 years ago by jelte

  • Milestone changed from Sprint-20111108 to Sprint-20111122

comment:9 Changed 8 years ago by kevin_tes

  • Resolution set to fixed
  • Status changed from reviewing to closed
Note: See TracTickets for help on using tickets.