From: Mark Andrews <marka@isc.org>
Date: Tue, 9 Jan 2024 01:12:33 +0000 (+1100)
Subject: Properly build the NSEC/NSEC3 type bit map
X-Git-Tag: v9.20.0~35^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ec3c6248148dec0696eeab62abdf53ea71116c0b;p=thirdparty%2Fbind9.git

Properly build the NSEC/NSEC3 type bit map

DNSKEY was incorrectly being added to the NESC/NSEC3 type bit map
when it was obscured by the delegation.  This lead to zone verification
failures.
---

diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c
index ce60441a448..3419ef1f919 100644
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -940,7 +940,6 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 		 * other than NSEC and DS is not signed at a delegation.
 		 */
 		if (rdataset.type != dns_rdatatype_rrsig &&
-		    rdataset.type != dns_rdatatype_dnskey &&
 		    (!delegation || rdataset.type == dns_rdatatype_ds ||
 		     rdataset.type == dns_rdatatype_nsec))
 		{
@@ -955,9 +954,7 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 			if (rdataset.type > maxtype) {
 				maxtype = rdataset.type;
 			}
-		} else if (rdataset.type != dns_rdatatype_rrsig &&
-			   rdataset.type != dns_rdatatype_dnskey)
-		{
+		} else if (rdataset.type != dns_rdatatype_rrsig) {
 			if (rdataset.type == dns_rdatatype_ns) {
 				dns_nsec_setbit(types, rdataset.type, 1);
 				if (rdataset.type > maxtype) {