From: Miod Vallat <miod.vallat@powerdns.com>
Date: Thu, 3 Jul 2025 05:26:55 +0000 (+0200)
Subject: Do not attempt to write NSEC3 pairs pointing to ourselves.
X-Git-Tag: rec-5.3.0-alpha2~10^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=225b8ce01647b4de4cce831ace2b80f853b7cb8c;p=thirdparty%2Fpdns.git

Do not attempt to write NSEC3 pairs pointing to ourselves.

The second record from the pair would end up overwriting the first one,
which could confuse the logic assuming pairs are always well-formed.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>
---

diff --git a/modules/lmdbbackend/lmdbbackend.cc b/modules/lmdbbackend/lmdbbackend.cc
index 83b3a7fda5..737dcca2da 100644
--- a/modules/lmdbbackend/lmdbbackend.cc
+++ b/modules/lmdbbackend/lmdbbackend.cc
@@ -1208,6 +1208,13 @@ void LMDBBackend::deleteNSEC3RecordPair(const std::shared_ptr<RecordsRWTransacti
 // `ordername'.
 void LMDBBackend::writeNSEC3RecordPair(const std::shared_ptr<RecordsRWTransaction>& txn, domainid_t domain_id, const DNSName& qname, const DNSName& ordername)
 {
+  // We can only write one NSEC3 record par qname; do not attempt to write
+  // records pointing to ourselves, as only the last record of the pair would
+  // end up in the database.
+  if (ordername == qname) {
+    return;
+  }
+
   compoundOrdername co; // NOLINT(readability-identifier-length)
 
   // Check for an existing NSEC3 record. If one exists, either it points to the