From bdb24c91b2b61f09cc449ec55d060afbc44388bb Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 29 Oct 2015 13:08:15 +0000
Subject: [PATCH] - Fix #716: nodata proof with empty non-terminals and
 wildcards.

git-svn-id: file:///svn/unbound/trunk@3526 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 doc/Changelog        |  1 +
 validator/val_nsec.c | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/doc/Changelog b/doc/Changelog
index be8e50326..a1b0e66c2 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,6 @@
 29 October 2015: Wouter
 	- patch from Doug Hogan for SSL_OP_NO_SSLvx options.
+	- Fix #716: nodata proof with empty non-terminals and wildcards.
 
 28 October 2015: Wouter
 	- Fix checklock testcode for linux threads on exit.
diff --git a/validator/val_nsec.c b/validator/val_nsec.c
index bdfe3c8fa..58c571a3d 100644
--- a/validator/val_nsec.c
+++ b/validator/val_nsec.c
@@ -340,6 +340,28 @@ int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
 				*wc = ce;
 				return 1;
 			}
+		} else {
+			/* See if the next owner name covers a wildcard
+			 * empty non-terminal. */
+			while (dname_strict_subdomain_c(nm, nsec->rk.dname)) {
+				/* wildcard does not apply if qname below
+				 * the name that exists under the '*' */
+				if (dname_subdomain_c(qinfo->qname, nm))
+					break;
+				/* but if it is a wildcard and qname is below
+				 * it, then the wildcard applies. The wildcard
+				 * is an empty nonterminal. nodata proven. */
+				if (dname_is_wild(nm)) {
+					size_t ce_len = ln;
+					uint8_t* ce = nm;
+					dname_remove_label(&ce, &ce_len);
+					if(dname_strict_subdomain_c(qinfo->qname, ce)) {
+						*wc = ce;
+						return 1;
+					}
+				}
+				dname_remove_label(&nm, &ln);
+			}
 		}
 
 		/* Otherwise, this NSEC does not prove ENT and is not a 
-- 
2.47.2