From: Ondřej Surý <ondrej@isc.org>
Date: Thu, 16 Apr 2026 09:21:48 +0000 (+0200)
Subject: Fix dropped covers field for SIG records in dns_diff_apply
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a5ba57116857779680d76fe4b20e125f3bc3b71;p=thirdparty%2Fbind9.git

Fix dropped covers field for SIG records in dns_diff_apply

rdata_covers() in lib/dns/diff.c discriminated only on
dns_rdatatype_rrsig (46) and returned 0 for the legacy SIG (24), so
the covered-type field was silently discarded on the dynamic-update
and IXFR paths.  Every SIG rdataset was then filed in the zone DB
under typepair (SIG, 0) instead of (SIG, covered_type); a second SIG
add with a different covers but a different TTL collided at that
bucket, tripped DNS_DBADD_EXACTTTL in qpzone, returned
DNS_R_NOTEXACT, and came back to the client as SERVFAIL.

Use dns_rdatatype_issig() here so both SIG and RRSIG carry their
covers through the diff, matching the helper pattern already used in
lib/dns/master.c, lib/ns/xfrout.c, lib/dns/qpcache.c, and the
dns__db_findrdataset() REQUIRE that the surrounding merge request
just relaxed.
---

diff --git a/lib/dns/diff.c b/lib/dns/diff.c
index 4e9ea0c4940..9ab3ff7cc4e 100644
--- a/lib/dns/diff.c
+++ b/lib/dns/diff.c
@@ -38,7 +38,7 @@
 
 static dns_rdatatype_t
 rdata_covers(dns_rdata_t *rdata) {
-	return rdata->type == dns_rdatatype_rrsig ? dns_rdata_covers(rdata) : 0;
+	return dns_rdatatype_issig(rdata->type) ? dns_rdata_covers(rdata) : 0;
 }
 
 void