From 54c9247ea38a1e48d3804cbff3377c2b0792ea09 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Fri, 28 Feb 2014 01:07:07 +0100
Subject: [PATCH] fix for errata 3441 of RFC5155

---
 modules/bindbackend/bindbackend2.cc |  2 +-
 pdns/packethandler.cc               | 12 +++++++-----
 pdns/pdnssec.cc                     | 12 ++++++------
 3 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/modules/bindbackend/bindbackend2.cc b/modules/bindbackend/bindbackend2.cc
index 169232795e..460ef6898f 100644
--- a/modules/bindbackend/bindbackend2.cc
+++ b/modules/bindbackend/bindbackend2.cc
@@ -675,7 +675,7 @@ void Bind2Backend::doEmptyNonTerminals(shared_ptr<State> stage, int id, bool nse
 
     while(chopOff(shorter))
     {
-      if(!qnames.count(shorter) && !nonterm.count(shorter))
+      if(!qnames.count(shorter))
       {
         if(!(maxent))
         {
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 1bcf238251..e970a649c8 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -618,16 +618,18 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
 
     getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after, mode);
 
-    if (mode == 1 && (hashed != before)) {
-      DLOG(L<<"No matching NSEC3 for DS, do closest (provable) encloser"<<endl);
+    if ((mode == 0 ||  mode == 1) && (hashed != before)) {
+      DLOG(L<<"No matching NSEC3, do closest (provable) encloser"<<endl);
 
+      bool doBreak = false;
       DNSResourceRecord rr;
       while( chopOff( closest ) && (closest != sd.qname))  { // stop at SOA
         B.lookup(QType(QType::ANY), closest, p, sd.domain_id);
-        if (B.get(rr)) {
-          while(B.get(rr));
+        while(B.get(rr))
+          if (rr.auth)
+            doBreak = true;
+        if(doBreak)
           break;
-        }
       }
       doNextcloser = true;
       unhashed=closest;
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 2e942e01a9..7165404df6 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -286,7 +286,7 @@ bool rectifyZone(DNSSECKeeper& dk, const std::string& zone)
         shorter=qname;
         while(!pdns_iequals(shorter, zone) && chopOff(shorter))
         {
-          if(!qnames.count(shorter) && !nonterm.count(shorter))
+          if(!qnames.count(shorter))
           {
             if(!(maxent))
             {
@@ -297,16 +297,16 @@ bool rectifyZone(DNSSECKeeper& dk, const std::string& zone)
               break;
             }
 
+            if (!delnonterm.count(shorter) && !nonterm.count(shorter))
+              insnonterm.insert(shorter);
+            else
+              delnonterm.erase(shorter);
+
             if (!nonterm.count(shorter)) {
               nonterm.insert(pair<string, bool>(shorter, auth));
               --maxent;
             } else if (auth)
               nonterm[shorter]=true;
-
-            if (!delnonterm.count(shorter))
-              insnonterm.insert(shorter);
-            else
-              delnonterm.erase(shorter);
           }
         }
       }
-- 
2.47.3