From: Mark Andrews <marka@isc.org>
Date: Tue, 15 Jul 2025 05:14:23 +0000 (+1000)
Subject: Fix find_coveringnsec in qpcache.c
X-Git-Tag: v9.21.11~36^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7de4207cb6dc9c65a4405a1710d15a723a6d2bf1;p=thirdparty%2Fbind9.git

Fix find_coveringnsec in qpcache.c

dns_qp_lookup was returning ISC_R_NOTFOUND rather than DNS_R_PARTIALMATCH
when there wasn't a parent with a NSEC record in the cache.  This was
causing find_coveringnsec to fail rather than returing the covering NSEC.
---

diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c
index 7e685318b88..eaafdfcf5d2 100644
--- a/lib/dns/qpcache.c
+++ b/lib/dns/qpcache.c
@@ -1397,7 +1397,13 @@ find_coveringnsec(qpc_search_t *search, const dns_name_t *name,
 	 */
 	result = dns_qp_lookup(search->qpdb->nsec, name, DNS_DBNAMESPACE_NSEC,
 			       NULL, &iter, NULL, (void **)&node, NULL);
-	if (result != DNS_R_PARTIALMATCH) {
+	/*
+	 * When DNS_R_PARTIALMATCH or ISC_R_NOTFOUND is returned from
+	 * dns_qp_lookup there is potentially a covering NSEC present
+	 * in the cache so we need to search for it.  Otherwise we are
+	 * done here.
+	 */
+	if (result != DNS_R_PARTIALMATCH && result != ISC_R_NOTFOUND) {
 		return ISC_R_NOTFOUND;
 	}