From ea7f9f21a36f15ccf41baf0a6e0c0791730e68a4 Mon Sep 17 00:00:00 2001
From: bert hubert <bert.hubert@netherlabs.nl>
Date: Fri, 1 Jul 2016 17:25:39 +0200
Subject: [PATCH] compare NSEC labels canonically instead of DNSName default.
 Clears up many in-addr.arpa failures.

---
 pdns/validate.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 38a7be2577..8d9571ee97 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -388,7 +388,7 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
               if(nsec) {
                 if(v.first.first == qname && !nsec->d_set.count(QType::DS))
                   return Insecure;
-                else if(v.first.first < qname && qname < nsec->d_next ) {
+                else if(v.first.first.canonCompare(qname) && qname.canonCompare(nsec->d_next) ) {
                   LOG("Did not find DS for this level, trying one lower"<<endl);
                   goto skipLevel;
                 }
-- 
2.47.2