From: Libor Peltan <libor.peltan@nic.cz>
Date: Wed, 1 Sep 2021 11:12:46 +0000 (+0200)
Subject: dnssec-validate: also check nodes affected by changes of NSEC3 chain...
X-Git-Tag: v3.1.2~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=62017e2854d3b7cceb8b7fcc843ba7ebbde1f387;p=thirdparty%2Fknot-dns.git

dnssec-validate: also check nodes affected by changes of NSEC3 chain...

...this especially covers the case when only NSEC3 chain is changed, and thus a_ctx->node_ptrs empty
---

diff --git a/src/knot/dnssec/nsec-chain.c b/src/knot/dnssec/nsec-chain.c
index 4793290ff5..cfaa609c77 100644
--- a/src/knot/dnssec/nsec-chain.c
+++ b/src/knot/dnssec/nsec-chain.c
@@ -408,6 +408,11 @@ static int check_nsec_bitmap(zone_node_t *node, void *ctx)
 	const zone_node_t *nsec_node = node;
 	bool shall_no_nsec = node_no_nsec(node);
 	if (data->nsec3_params != NULL) {
+		if ((node->flags & NODE_FLAGS_DELETED) ||
+		    node_rrtype_exists(node, KNOT_RRTYPE_NSEC3)) {
+			// this can happen when checking nodes from adjust_ptrs
+			return KNOT_EOK;
+		}
 		nsec_node = node_nsec3_get(node);
 		shall_no_nsec = (node->flags & NODE_FLAGS_DELETED) ||
 		                (node->flags & NODE_FLAGS_NONAUTH);
diff --git a/src/knot/dnssec/nsec3-chain.c b/src/knot/dnssec/nsec3-chain.c
index 0a08c8f407..97010be500 100644
--- a/src/knot/dnssec/nsec3-chain.c
+++ b/src/knot/dnssec/nsec3-chain.c
@@ -724,5 +724,10 @@ int knot_nsec3_check_chain_fix(zone_update_t *update, const dnssec_nsec3_params_
 		return ret;
 	}
 
+	ret = nsec_check_bitmaps(update->a_ctx->adjust_ptrs, &data); // adjust_ptrs contain also NSEC3-nodes. See check_nsec_bitmap() how this is handled.
+	if (ret != KNOT_EOK) {
+		return ret;
+	}
+
 	return nsec_check_new_connects(update->a_ctx->nsec3_ptrs, &data);
 }