From: bert hubert <bert.hubert@netherlabs.nl>
Date: Fri, 1 Jul 2016 09:50:04 +0000 (+0200)
Subject: some TLDs have only 1 NSEC3 record
X-Git-Tag: rec-4.0.0~31
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=784dca6da17f0ffde56c5c49feb8eac4e680f075;p=thirdparty%2Fpdns.git

some TLDs have only 1 NSEC3 record
---

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 6918f5f06a..ee326b321a 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -401,10 +401,13 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
 
               auto nsec3 = std::dynamic_pointer_cast<NSEC3RecordContent>(r);
               string h = hashQNameWithSalt(nsec3->d_salt, nsec3->d_iterations, qname);
+              //              cerr<<"Salt length: "<<nsec3->d_salt.length()<<", iterations: "<<nsec3->d_iterations<<", hashed: "<<qname<<endl;
               LOG("\tquery hash: "<<toBase32Hex(h)<<endl);
               string beginHash=fromBase32Hex(v.first.first.getRawLabels()[0]);
               if( (beginHash < h && h < nsec3->d_nexthash) ||
-                  (nsec3->d_nexthash > h  && beginHash > nsec3->d_nexthash)) { //wrap
+                  (nsec3->d_nexthash > h  && beginHash > nsec3->d_nexthash) ||  //wrap
+                  beginHash == nsec3->d_nexthash)  // "we have only 1 NSEC3 record, LOL!"  
+              {
                 LOG("Denies existence of DS!"<<endl);
                 return Insecure;
               }
