Fix wrong NSEC proof for empty non-terminals after IXFR

When receiving NSEC records via IXFR, the node was not marked with
havensec because the condition checked the uninitialized output
rdataset type instead of the input rdataset type.  This caused
queries for empty non-terminal names in NSEC-signed zones received
via IXFR to return the zone apex NSEC instead of the correct
covering NSEC record.

The bug was introduced in f4b4f030.

diff --git a/lib/dns/qpzone.c b/lib/dns/qpzone.c
index e8440579cfbd3b38fe22fbd073c48e658ab1e1a3..d7604affbab717ff3dad6832c014c76492ca7429 100644 (file)
--- a/lib/dns/qpzone.c
+++ b/lib/dns/qpzone.c
@@ -5555,7 +5555,7 @@ qpzone_update_rdataset(qpzonedb_t *qpdb, qpz_version_t *version, dns_qp_t *qp,
                 */
                options = DNS_DBADD_MERGE | DNS_DBADD_EXACT |
                          DNS_DBADD_EXACTTTL;
-               if (!node->havensec && ardataset.type == dns_rdatatype_nsec) {
+               if (!node->havensec && rds->type == dns_rdatatype_nsec) {
                        nsec = qp;
                }
                result = qpzone_addrdataset_inner(