compare NSEC labels canonically instead of DNSName default. Clears up many in-addr...

author bert hubert <bert.hubert@netherlabs.nl>

Fri, 1 Jul 2016 15:25:39 +0000 (17:25 +0200)

committer bert hubert <bert.hubert@netherlabs.nl>

Fri, 1 Jul 2016 15:25:39 +0000 (17:25 +0200)
author bert hubert <bert.hubert@netherlabs.nl>
Fri, 1 Jul 2016 15:25:39 +0000 (17:25 +0200)
committer bert hubert <bert.hubert@netherlabs.nl>
Fri, 1 Jul 2016 15:25:39 +0000 (17:25 +0200)
diff --git a/pdns/validate.cc b/pdns/validate.cc

index 38a7be2577ad86619d37fd23964881ad39e4b389..8d9571ee977bb7606b25559e30384ce13be11459 100644 (file)
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -388,7 +388,7 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
                if(nsec) {
                  if(v.first.first == qname && !nsec->d_set.count(QType::DS))
                    return Insecure;
-                else if(v.first.first < qname && qname < nsec->d_next ) {
+                else if(v.first.first.canonCompare(qname) && qname.canonCompare(nsec->d_next) ) {
                    LOG("Did not find DS for this level, trying one lower"<<endl);
                    goto skipLevel;
                  }
author	bert hubert <bert.hubert@netherlabs.nl>
	Fri, 1 Jul 2016 15:25:39 +0000 (17:25 +0200)
committer	bert hubert <bert.hubert@netherlabs.nl>
	Fri, 1 Jul 2016 15:25:39 +0000 (17:25 +0200)