From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 9 Dec 2025 12:45:40 +0000 (+0100)
Subject: Don't create NSEC3 nodes for unsigned delegations
X-Git-Tag: v9.21.17~41^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f7abbfaac1aad2716532c83d2dff6dd804b053b;p=thirdparty%2Fbind9.git

Don't create NSEC3 nodes for unsigned delegations

Instead of creating new nodes for every possible NSEC3 record, only
create them if we are actually going to add a new NSEC3 record.
---

diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index ff53e90be91..bf9c8486ac3 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -565,7 +565,24 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
 	 * Create the node if it doesn't exist and hold
 	 * a reference to it until we have added the NSEC3.
 	 */
-	CHECK(dns_db_findnsec3node(db, hashname, true, &newnode));
+	result = dns_db_findnsec3node(db, hashname, false, &newnode);
+	if (result != ISC_R_SUCCESS) {
+		isc_result_t tresult;
+
+		CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit));
+		tresult = dns_dbiterator_seek3(dbit, hashname);
+		CHECK(dns_dbiterator_pause(dbit));
+
+		if (tresult != ISC_R_SUCCESS) {
+			/* Nothing in the NSEC3 space yet. */
+			if (!unsecure) {
+				goto addnsec3;
+			}
+			goto cleanup;
+		}
+
+		goto find_previous;
+	}
 
 	/*
 	 * Seek the iterator to the 'newnode'.
@@ -610,6 +627,7 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
 		}
 	}
 
+find_previous:
 	/*
 	 * Find the previous NSEC3 (if any) and update it if required.
 	 */
@@ -694,6 +712,10 @@ addnsec3:
 	/*
 	 * Create the NSEC3 RDATA.
 	 */
+	if (newnode == NULL) {
+		CHECK(dns_db_findnsec3node(db, hashname, true, &newnode));
+	}
+
 	CHECK(dns_db_findnode(db, name, false, &node));
 	CHECK(dns_nsec3_buildrdata(db, version, node, hash, flags, iterations,
 				   salt, salt_length, nexthash, next_length,