From: Mark Andrews <marka@isc.org>
Date: Tue, 22 Apr 2025 08:39:59 +0000 (+1000)
Subject: Wrong NSEC3 chosen for NO QNAME proof
X-Git-Tag: v9.21.8~3^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9bb93520f18c470dd817dac7b7bd830b1fbd5f90;p=thirdparty%2Fbind9.git

Wrong NSEC3 chosen for NO QNAME proof

When we optimised the closest encloser NSEC3 discovery the maxlabels
variable was used in the binary search. The updated value was later
used to add the NO QNAME NSEC3 but that block of code needed the
original value. This resulted in the wrong NSEC3 sometimes being
chosen to perform this role.
---

diff --git a/lib/ns/query.c b/lib/ns/query.c
index dddaed62248..901041e9ec9 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -11015,6 +11015,7 @@ again:
 		 */
 		unsigned int maxlabels = dns_name_countlabels(name);
 		unsigned int minlabels = dns_name_countlabels(fname);
+		unsigned int namelabels = maxlabels;
 		bool search = result == DNS_R_NXDOMAIN;
 		dns_name_copy(name, cname);
 		while (search) {
@@ -11072,7 +11073,7 @@ again:
 		 * Add no qname proof.
 		 */
 		labels = dns_name_countlabels(cname) + 1;
-		if (labels > maxlabels) {
+		if (labels > namelabels) {
 			char namebuf[DNS_NAME_FORMATSIZE];
 			dns_name_format(cname, namebuf, sizeof(namebuf));
 			ns_client_log(qctx->client, DNS_LOGCATEGORY_DNSSEC,
@@ -11080,7 +11081,7 @@ again:
 				      "closest-encloser name too long: %s",
 				      namebuf);
 			dns_name_copy(name, wname);
-		} else if (labels == maxlabels) {
+		} else if (labels == namelabels) {
 			dns_name_copy(name, wname);
 		} else {
 			dns_name_split(name, labels, NULL, wname);