Wrong NSEC3 chosen for NO QNAME proof

When we optimised the closest encloser NSEC3 discovery the maxlabels
variable was used in the binary search. The updated value was later
used to add the NO QNAME NSEC3 but that block of code needed the
original value. This resulted in the wrong NSEC3 sometimes being
chosen to perform this role.

diff --git a/lib/ns/query.c b/lib/ns/query.c
index dddaed62248a7e15e985c8b7308ba11a43755407..901041e9ec91b6a6d4d94a26d9ffb7ce96e2a499 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -11015,6 +11015,7 @@ again:
                 */
                unsigned int maxlabels = dns_name_countlabels(name);
                unsigned int minlabels = dns_name_countlabels(fname);
+               unsigned int namelabels = maxlabels;
                bool search = result == DNS_R_NXDOMAIN;
                dns_name_copy(name, cname);
                while (search) {
@@ -11072,7 +11073,7 @@ again:
                 * Add no qname proof.
                 */
                labels = dns_name_countlabels(cname) + 1;
-               if (labels > maxlabels) {
+               if (labels > namelabels) {
                        char namebuf[DNS_NAME_FORMATSIZE];
                        dns_name_format(cname, namebuf, sizeof(namebuf));
                        ns_client_log(qctx->client, DNS_LOGCATEGORY_DNSSEC,
@@ -11080,7 +11081,7 @@ again:
                                      "closest-encloser name too long: %s",
                                      namebuf);
                        dns_name_copy(name, wname);
-               } else if (labels == maxlabels) {
+               } else if (labels == namelabels) {
                        dns_name_copy(name, wname);
                } else {
                        dns_name_split(name, labels, NULL, wname);