From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Wed, 29 Nov 2023 15:47:01 +0000 (+0100)
Subject: rec: a single NSEC3 record covering everything is a special case
X-Git-Tag: rec-5.0.0-rc1~4^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=257b23b4f55031a94b04c472489c3806ab57a244;p=thirdparty%2Fpdns.git

rec: a single NSEC3 record covering everything is a special case

Fixes #13542
---

diff --git a/pdns/recursordist/aggressive_nsec.cc b/pdns/recursordist/aggressive_nsec.cc
index b419f5ef25..08dea324a1 100644
--- a/pdns/recursordist/aggressive_nsec.cc
+++ b/pdns/recursordist/aggressive_nsec.cc
@@ -261,6 +261,10 @@ static bool commonPrefixIsLong(const string& one, const string& two, size_t boun
 bool AggressiveNSECCache::isSmallCoveringNSEC3(const DNSName& owner, const std::string& nextHash)
 {
   std::string ownerHash(fromBase32Hex(owner.getRawLabel(0)));
+  // Special case: empty zone, so the single NSEC3 covers everything. Prefix is long but we still want it cached.
+  if (ownerHash == nextHash) {
+    return false;
+  }
   return commonPrefixIsLong(ownerHash, nextHash, AggressiveNSECCache::s_maxNSEC3CommonPrefix);
 }