Changes between Version 11 and Version 12 of AuthServerQueryLogic


Ignore:
Timestamp:
Nov 2, 2011, 2:11:46 AM (6 years ago)
Author:
kevin_tes
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • AuthServerQueryLogic

    v11 v12  
    33The authoritative-only server algorithm is:
    44
    5  1. Search the available zones for the zone which is the nearest ancestor to QNAME.  If such a zone is found, set the AA bit in the reply and continue to step 2.  If the zone is not found, then:
     5 1. If QTYPE is DS, search the available zones for the zone which is the nearest ancestor to QNAME's parent,go to step 1.1.Otherwise search the available zones for the zone which is the nearest ancestor to QNAME.  If such a zone is found, set the AA bit in the reply and continue to step 2.  If the zone is not found, then:
    66  a. If we were looking up the target of a previously-discovered CNAME, set Rcode to NOERROR and exit.
    77  b. If we were looking up the original QNAME of the query, set Rcode to REFUSED and exit.
     8
     9 1.1. If such a zone is found:
     10  a. If an RRset matching QTYPE is found, add it and it's RRSIG to the answer section, then add the NS records for the enclosing zone to the authority section.  Go to step 7.
     11  b. If thus RRset is not found, if zone is secure and support NSEC, go to 1.1.a,if zone is secure and support NSEC3, go to 1.1.b,else go to step 6.
     12     1.1.a. Add the SOA of the zone and it's RRSIG to the authority section,and the NSSEC RR that covered the QNAME and it's RRSIG to the authority section.
     13     1.1.a. Add the SOA of the zone and it's RRSIG to the authority section,and the NSSEC3 RR that covered the QNAME and it's RRSIG to the authority section.
    814
    915 2. Determine whether we are authoritative for QNAME.
    1016  a. If the number of labels in QNAME is equal to the number of labels in the enclosing zone name, we are authoritative; go to step 3.
    1117  b. If the difference between the number of labels in the enclosing zone and the number of labels in QNAME is greater than zero, then check each intermediate node starting immediately below the enclosing zone and continuing down to QNAME, checking for NS, DS, or DNAME records.  If any NS records are found, this is a referral: go to step 2c.  If any DNAME records are found, go to step 5.  If no NS or DNAME records are found, go to step 3.
    12   c. If we were looking up the original QNAME of the query, clear the AA bit in the reply.  Place the NS records for the subzone into the authority section of the reply (without signatures).  If the enclosing zone is secure and support NSEC, check whether a DS record was found; if so, add it to the authority section of the reply; if not, add the NSEC RRset for this node (if any) to the authority section of the reply, if the enclosing zone is secure and support NSEC3, check whether a DS record was found; if so, add it to the authority section of the reply,if there is an NSEC3 RR that matches the delegation name, then the NSEC3 RR MUST be included in the authority section; if not, if the zone is Opt-Out, then there may not be an NSEC3 RR corresponding to the delegation. In this case, the closest provable NSEC3 MUST be included in the authority section, if the zone is not Opt-out,add the covered NSEC3 RRset for this node (if any) to the authority section of the reply. Go to step 7.
     18  c. If we were looking up the original QNAME of the query, clear the AA bit in the reply. Place the NS records for the subzone into the authority section of the reply. check whether a DS record was found, if so, add ds and its signatures to authority secion, else if the zone is secured and support nsec, go to 2.c.Ⅰ;else if the zone is secured and support nsec3 goto 2.c.Ⅱ; else, go to setp7.
     19     2.c.1. Add nsec rr(MUST be exist) and its signautre matching the delegation ns name to authority section.
     20     2.c.2. If the nsec3 rr matching the delegation ns name exists, add it and its signatures to authority section; else(no matching nsec3 rr), the delegated zone must be OPT-OUT, add covered nsec3 rr(opt-out flag must be set) and its signature to authority section.
    1321
    1422 3. Check for the existence of matching data at QNAME.
    1523  a. If an RRset matching QNAME/QTYPE is found, add it to the answer section, then (if QTYPE was not NS) add the NS records for the enclosing zone to the authority section.  Go to step 7.
    16   b. If an RRset matching QNAME/CNAME is found, add it to the answer section, then go back to step 1, with QNAME set to the target of the CNAME RR.
    17   c. If ANY RRset matching QNAME is found, regardless of RRtype, if zone is secure and support NSEC,attach the matched NSEC RRset for QNAME to the authority section of the reply.If zone is secure and support NSEC3,if there is an NSEC3 RR that matches QNAME, MUST return it in the authority section,if no NSEC3 RR matches QNAME, MUST return a covered NSEC3 in the authority section. Go to step 6.
    18   d. If any RRset is found with a name which is a subdomain of QNAME, if zone is secure and support NSEC, an NSEC RR proving that there is no exact match for QNAME,an NSEC RR proving that the zone contains no RRsets that would match QNAME,via wildcard name expansion,should  add those to the authority section ;if zone is secure and support NSEC3, up to three NSEC3 RRs proves both that QNAME does not exist and that a wildcard that could have matched QNAME does not exit,MUST add those to the authority section. Go to step 6.
     24  b. If an RRset matching QNAME/CNAME is found, add it and its signature to the answer section.
     25  c. If ANY RRset matching QNAME is found, regardless of RRtype, if zone is secured, add matching nsec/nsec3 rrset and its signature to authority section. goto step 6.
     26  d. If any RRsets are found with a name which is a subdomain of QNAME, if the zone is secured by nsec, add nsec rr covering qname and its signature to authority section; if the zone is secured by nsec3, add nsec3 rr matching qname(must exist) to authority section. go to step 6.
    1927  e. If none of the above are found, go to step 4.
    2028
    21  4. No match has been found. If zone is secure and support NSEC, an covered NSEC RR proving that there is no exact match for QNAME,should  add those to the authority section;if zone is secure and support NSEC3, up to three covered NSEC3 RRs proves that QNAME does not exist MUST add those to the authority section. then check for wildcards.
     29 4. No match has been found. If zone is secure by NSEC, an covered NSEC RR proving that there is no exact match for QNAME,should add those to the authority section. if the zone is secured by nsec3, add nsec3 rr matching qname's closest enclosure name and nsec3 rr covering qname's next closer name and their signatures to authority section. then check wildcard match. search qname's wildcard name(add "*" to qname's closest enclosure name) and qtype: if found, modify the wildcard rrset name to qname and add it and its signature to answer section; if wildcard name found but no type match, add the nsec3 rr matching wildcard name and its signature to authority section; if wildcard name not found, add nsec3 rr covering wildcard name to authority section.
    2230  a. If the difference between the number of labels in QNAME and the name of the enclosing zone is greater than zero, then for each intermediate node starting immediately above QNAME and working up to the enclosing zone, prepend a '*' label and check for the existence of an RRset with that name.  If found, go to step 4b; otherwise, set Rcode to NXDOMAIN ,if zone is secure and support NSEC,an NSEC RR proving that the zone contains no RRsets that would match QNAME,via wildcard name expansion,should add those to the authority section ;if zone is secure and support NSEC3, up to three NSEC3 RRs proves that a wildcard that could have matched QNAME does not exit,MUST add those to the authority section.And go to step 6.
    2331  b. If the wildcard label is found to exist, match records at that node against QTYPE. If any match, copy them into the answer section (but with the owner of the RRset set to be QNAME), then add the NS records for the enclosing zone (with signatures if zone is secure) to the authority section, if zone is secure and support NSEC, an NSEC RR and associated RRSIG RR(s) proving that the zone  does not contain a closer match for QNAME MUST add in the autority section;if zone is secure and support NSEC3, an NSEC3 RR that proof the wildcard match was valid must be add in the autority section,and go to step 7. If no records match QTYPE, proceed to step 4c.