fix for errata 3441 of RFC5155

diff --git a/pdns/backends/bind/bindbackend2.cc b/pdns/backends/bind/bindbackend2.cc
index 07e2f1c238e90c09cdfcbb2d61d6d20485e40c4f..71e5bec7923df24d1ae387b16df54df3d92a6f52 100644 (file)
--- a/pdns/backends/bind/bindbackend2.cc
+++ b/pdns/backends/bind/bindbackend2.cc
@@ -613,7 +613,7 @@ void Bind2Backend::doEmptyNonTerminals(shared_ptr<State> stage, int id, bool nse
 
     while(chopOff(shorter))
     {
-      if(!qnames.count(shorter) && !nonterm.count(shorter))
+      if(!qnames.count(shorter))
       {
         if(!(maxent))
         {

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 18dc53f74816a5e939d5f9005c6ae142089ae8cc..39fe8d7a2d02985ef6a90ca936656eea77166d55 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -607,16 +607,18 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
 
     getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after, mode);
 
-    if (mode == 1 && (hashed != before)) {
-      DLOG(L<<"No matching NSEC3 for DS, do closest (provable) encloser"<<endl);
+    if ((mode == 0 ||  mode == 1) && (hashed != before)) {
+      DLOG(L<<"No matching NSEC3, do closest (provable) encloser"<<endl);
 
+      bool doBreak = false;
       DNSResourceRecord rr;
       while( chopOff( closest ) && (closest != sd.qname))  { // stop at SOA
         B.lookup(QType(QType::ANY), closest, p, sd.domain_id);
-        if (B.get(rr)) {
-          while(B.get(rr));
+        while(B.get(rr))
+          if (rr.auth)
+            doBreak = true;
+        if(doBreak)
           break;
-        }
       }
       doNextcloser = true;
       unhashed=closest;