From: Marek Vavruša <marek.vavrusa@nic.cz>
Date: Thu, 12 Nov 2015 17:36:33 +0000 (+0100)
Subject: lib/dnssec: always check wildcard expansion proof
X-Git-Tag: v1.0.0-beta2~27
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d94caa6cc73877dfc6ae419b43e9142aa59d4bc4;p=thirdparty%2Fknot-resolver.git

lib/dnssec: always check wildcard expansion proof

refs #33
---

diff --git a/lib/dnssec/nsec.c b/lib/dnssec/nsec.c
index 62efdc896..41f57ca38 100644
--- a/lib/dnssec/nsec.c
+++ b/lib/dnssec/nsec.c
@@ -316,11 +316,11 @@ int kr_nsec_existence_denial(const knot_pkt_t *pkt, knot_section_t section_id,
 		/* NSEC proves that name exists, but has no data (RFC4035 4.9, 1) */
 		if (knot_dname_is_equal(rrset->owner, sname)) {
 			no_data_response_check_rrtype(&flags, rrset, stype);
-			no_data_wildcard_existence_check(&flags, rrset, sec);
 		} else {
 			/* NSEC proves that name doesn't exist (RFC4035, 4.9, 2) */
 			name_error_response_check_rr(&flags, rrset, sname);
 		}
+		no_data_wildcard_existence_check(&flags, rrset, sec);
 	}
 
 	return kr_nsec_existence_denied(flags) ? kr_ok() : kr_error(ENOENT);