string dotName(string type, DNSName name, string tag);
string dotEscape(string name);
-const char *dStates[]={"nodata", "nxdomain", "nxqtype", "empty non-terminal", "insecure"};
+const char *dStates[]={"nodata", "nxdomain", "nxqtype", "empty non-terminal", "insecure", "opt-out"};
const char *vStates[]={"Indeterminate", "Bogus", "Insecure", "Secure", "NTA"};
typedef set<DNSKEYRecordContent> keyset_t;
(nsec3->d_nexthash < beginHash && beginHash < h) || // wrap other case END --- BEGINNING --- HASH
beginHash == nsec3->d_nexthash)) // "we have only 1 NSEC3 record, LOL!"
{
- LOG("Denies existence of name "<<qname<<"/"<<QType(qtype).getName()<<"(could be opt-out)!"<<endl);
+ LOG("Denies existence of name "<<qname<<"/"<<QType(qtype).getName());
+ if (qtype == QType::DS && nsec3->d_flags & 1) {
+ LOG(" but is opt-out!"<<endl);
+ return OPTOUT;
+ }
+ LOG(endl);
return NXDOMAIN;
}
if(r.first == r.second) {
LOG("No DS for "<<*(zoneCutIter+1)<<", now look for a secure denial"<<endl);
dState res = getDenial(validrrsets, *(zoneCutIter+1), QType::DS);
- if (res == INSECURE)
+ if (res == INSECURE || res == NXDOMAIN)
return Bogus;
- if (res == NXDOMAIN || res == NXQTYPE)
+ if (res == NXQTYPE || res == OPTOUT)
return Insecure;
}
extern const char *vStates[];
// NSEC(3) results
-enum dState { NODATA, NXDOMAIN, NXQTYPE, ENT, INSECURE };
+enum dState { NODATA, NXDOMAIN, NXQTYPE, ENT, INSECURE, OPTOUT};
extern const char *dStates[];
class DNSRecordOracle