lib/dnssec: always check wildcard expansion proof

author Marek Vavruša <marek.vavrusa@nic.cz>

Thu, 12 Nov 2015 17:36:33 +0000 (18:36 +0100)

committer Marek Vavruša <marek.vavrusa@nic.cz>

Thu, 12 Nov 2015 17:36:38 +0000 (18:36 +0100)
author Marek Vavruša <marek.vavrusa@nic.cz>
Thu, 12 Nov 2015 17:36:33 +0000 (18:36 +0100)
committer Marek Vavruša <marek.vavrusa@nic.cz>
Thu, 12 Nov 2015 17:36:38 +0000 (18:36 +0100)
diff --git a/lib/dnssec/nsec.c b/lib/dnssec/nsec.c

index 62efdc896ddd8526f8ab8fdc65607e3538d1ebb5..41f57ca3888d9e106f290324a37aa7f7f660b2c3 100644 (file)
--- a/lib/dnssec/nsec.c
+++ b/lib/dnssec/nsec.c
@@ -316,11 +316,11 @@ int kr_nsec_existence_denial(const knot_pkt_t *pkt, knot_section_t section_id,
                 /* NSEC proves that name exists, but has no data (RFC4035 4.9, 1) */
                 if (knot_dname_is_equal(rrset->owner, sname)) {
                         no_data_response_check_rrtype(&flags, rrset, stype);
-                       no_data_wildcard_existence_check(&flags, rrset, sec);
                 } else {
                         /* NSEC proves that name doesn't exist (RFC4035, 4.9, 2) */
                         name_error_response_check_rr(&flags, rrset, sname);
                 }
+               no_data_wildcard_existence_check(&flags, rrset, sec);
         }
  
         return kr_nsec_existence_denied(flags) ? kr_ok() : kr_error(ENOENT);
author	Marek Vavruša <marek.vavrusa@nic.cz>
	Thu, 12 Nov 2015 17:36:33 +0000 (18:36 +0100)
committer	Marek Vavruša <marek.vavrusa@nic.cz>
	Thu, 12 Nov 2015 17:36:38 +0000 (18:36 +0100)