dnssec-validate: also check nodes affected by changes of NSEC3 chain...

...this especially covers the case when only NSEC3 chain is changed, and thus a_ctx->node_ptrs empty

diff --git a/src/knot/dnssec/nsec-chain.c b/src/knot/dnssec/nsec-chain.c
index 4793290ff5b6abf1b1284fa871d19065edcf1aae..cfaa609c77b03033c4914c774a274f3726f36577 100644 (file)
--- a/src/knot/dnssec/nsec-chain.c
+++ b/src/knot/dnssec/nsec-chain.c
@@ -408,6 +408,11 @@ static int check_nsec_bitmap(zone_node_t *node, void *ctx)
        const zone_node_t *nsec_node = node;
        bool shall_no_nsec = node_no_nsec(node);
        if (data->nsec3_params != NULL) {
+               if ((node->flags & NODE_FLAGS_DELETED) ||
+                   node_rrtype_exists(node, KNOT_RRTYPE_NSEC3)) {
+                       // this can happen when checking nodes from adjust_ptrs
+                       return KNOT_EOK;
+               }
                nsec_node = node_nsec3_get(node);
                shall_no_nsec = (node->flags & NODE_FLAGS_DELETED) ||
                                (node->flags & NODE_FLAGS_NONAUTH);

diff --git a/src/knot/dnssec/nsec3-chain.c b/src/knot/dnssec/nsec3-chain.c
index 0a08c8f4075cf0c09918bf072c7671f31def8402..97010be5006ef3f93312e744c7e1ec8c42d153a5 100644 (file)
--- a/src/knot/dnssec/nsec3-chain.c
+++ b/src/knot/dnssec/nsec3-chain.c
@@ -724,5 +724,10 @@ int knot_nsec3_check_chain_fix(zone_update_t *update, const dnssec_nsec3_params_
                return ret;
        }
 
+       ret = nsec_check_bitmaps(update->a_ctx->adjust_ptrs, &data); // adjust_ptrs contain also NSEC3-nodes. See check_nsec_bitmap() how this is handled.
+       if (ret != KNOT_EOK) {
+               return ret;
+       }
+
        return nsec_check_new_connects(update->a_ctx->nsec3_ptrs, &data);
 }