From: bert hubert <bert.hubert@netherlabs.nl>
Date: Fri, 1 Jul 2016 15:25:39 +0000 (+0200)
Subject: compare NSEC labels canonically instead of DNSName default. Clears up many in-addr... 
X-Git-Tag: rec-4.0.0~27
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ea7f9f21a36f15ccf41baf0a6e0c0791730e68a4;p=thirdparty%2Fpdns.git

compare NSEC labels canonically instead of DNSName default. Clears up many in-addr.arpa failures.
---

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 38a7be2577..8d9571ee97 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -388,7 +388,7 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
               if(nsec) {
                 if(v.first.first == qname && !nsec->d_set.count(QType::DS))
                   return Insecure;
-                else if(v.first.first < qname && qname < nsec->d_next ) {
+                else if(v.first.first.canonCompare(qname) && qname.canonCompare(nsec->d_next) ) {
                   LOG("Did not find DS for this level, trying one lower"<<endl);
                   goto skipLevel;
                 }