Cleanup orphaned empty-non-terminal NSEC3

When OPTOUT was in use we didn't ensure that NSEC3 records
for orphaned empty-non-terminals where removed.  Check if
there are orphaned empty-non-terminal NSEC3 even if there
wasn't an NSEC3 RRset to be removed in dns_nsec3_delnsec3.

(cherry picked from commit 27160c137fbe1d8af164210ec423359a2c2f1e13)

diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 520b031117eef9050068736f27c73948b2d92538..7f685808285786de94f28beba0001943a027ba61 100644 (file)
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1443,7 +1443,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
 
        result = dns_dbiterator_seek(dbit, hashname);
        if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) {
-               goto success;
+               goto cleanup_orphaned_ents;
        }
        if (result != ISC_R_SUCCESS) {
                goto failure;
@@ -1455,7 +1455,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
                                     (isc_stdtime_t)0, &rdataset, NULL);
        dns_db_detachnode(db, &node);
        if (result == ISC_R_NOTFOUND) {
-               goto success;
+               goto cleanup_orphaned_ents;
        }
        if (result != ISC_R_SUCCESS) {
                goto failure;
@@ -1540,6 +1540,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
        /*
         *  Delete NSEC3 records for now non active nodes.
         */
+cleanup_orphaned_ents:
        dns_name_init(&empty, NULL);
        dns_name_clone(name, &empty);
        do {