Do not attempt to write NSEC3 pairs pointing to ourselves.

The second record from the pair would end up overwriting the first one,
which could confuse the logic assuming pairs are always well-formed.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

diff --git a/modules/lmdbbackend/lmdbbackend.cc b/modules/lmdbbackend/lmdbbackend.cc
index 83b3a7fda5e687b45eddd744d5201a3157b53aaf..737dcca2daf9b34d9156dd875d23fd077232a73e 100644 (file)
--- a/modules/lmdbbackend/lmdbbackend.cc
+++ b/modules/lmdbbackend/lmdbbackend.cc
@@ -1208,6 +1208,13 @@ void LMDBBackend::deleteNSEC3RecordPair(const std::shared_ptr<RecordsRWTransacti
 // `ordername'.
 void LMDBBackend::writeNSEC3RecordPair(const std::shared_ptr<RecordsRWTransaction>& txn, domainid_t domain_id, const DNSName& qname, const DNSName& ordername)
 {
+  // We can only write one NSEC3 record par qname; do not attempt to write
+  // records pointing to ourselves, as only the last record of the pair would
+  // end up in the database.
+  if (ordername == qname) {
+    return;
+  }
+
   compoundOrdername co; // NOLINT(readability-identifier-length)
 
   // Check for an existing NSEC3 record. If one exists, either it points to the