git.ipfire.org Git - thirdparty/bind9.git/commit

author	Mark Andrews <marka@isc.org>
	Sat, 27 Nov 2021 22:46:01 +0000 (09:46 +1100)
committer	Petr Špaček <pspacek@isc.org>
	Thu, 2 Dec 2021 13:24:37 +0000 (14:24 +0100)
commit	5252985a2117a93038ddcf4c9ab09c0f3b03e883
tree	bd83be831ab214134f33e4c03a796cf2e06be539	tree \| snapshot
parent	94935e7e345cff54e08a91588ef1f934a842914b	commit \| diff

Look for covering NSEC under two more conditions

1) when after processing a node there where no headers that
   contained active records.

   When

       if (check_stale_header(node, header, &locktype, lock, &search,
      &header_prev);

   succeeds or

       if (EXISTS(header) && !ANCIENT(header))

   fails for all entries in the list leading to 'empty_node' remaining
   true.

   If there is are no active records we know nothing about the
   current state of the name so we treat is as ISC_R_NOTFOUND.

2) when there was a covering NOQNAME proof found or all the
   active headers where negative.

   When

if (header->noqname != NULL &&
    header->trust == dns_trust_secure)

   succeeds or

if (!NEGATIVE(header))

   never succeeds.  Under these conditions there could (should be for
   found_noqname) be a covering NSEC earlier in the tree.