From: Mark Andrews <marka@isc.org>
Date: Wed, 30 Dec 2009 02:43:09 +0000 (+0000)
Subject: 2825.   [bug]           Changing the setting of OPTOUT in a NSEC3 chain that
X-Git-Tag: v9.4.3-P1~2^2~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57fb4f7bbec88bc6431a39d4a10f82c265798b1f;p=thirdparty%2Fbind9.git

2825.   [bug]           Changing the setting of OPTOUT in a NSEC3 chain that
                        was in the process of being created was not properly
                        recorded in the zone. [RT #20786]
---

diff --git a/CHANGES b/CHANGES
index 1ebc7bdb683..0aa93d5a6ee 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
+			was in the process of being created was not properly
+			recorded in the zone. [RT #20786]
+
 2824.	[bug]		"rndc sign" was not being run by the correct task.
 			[RT #20759]
 
diff --git a/bin/named/update.c b/bin/named/update.c
index 6753b3b924e..f9a3e2817a7 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.178 2009/12/18 23:49:03 tbox Exp $ */
+/* $Id: update.c,v 1.179 2009/12/30 02:43:09 marka Exp $ */
 
 #include <config.h>
 
@@ -3182,6 +3182,23 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 				CHECK(do_one_tuple(&newtuple, db, ver, diff));
 			}
 
+			/*
+			 * Remove any existing CREATE request to add an
+			 * otherwise indentical chain with a reversed
+			 * OPTOUT state.
+			 */
+			buf[2] ^= DNS_NSEC3FLAG_OPTOUT;
+			CHECK(rr_exists(db, ver, name, &rdata, &flag));
+
+			if (flag) {
+				CHECK(dns_difftuple_create(diff->mctx,
+							   DNS_DIFFOP_DEL,
+							   name, tuple->ttl,
+							   &rdata,
+							   &newtuple));
+				CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			}
+
 			/*
 			 * Remove the temporary add record.
 			 */