2607. [bug] named could incorrectly delete NSEC3 records for

                        empty nodes when processing a update request.
                        [RT #19749]

diff --git a/CHANGES b/CHANGES
index 1bf812e52c8b77ce1147bbc723b60a2c2a86e7cb..126e037c4ff5547cae348493869015ed22c2ab0f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2607.  [bug]           named could incorrectly delete NSEC3 records for
+                       empty nodes when processing a update request.  
+                       [RT #19749]
+
 2606.  [bug]           "delegation-only" was not being accepted in
                        delegation-only type zones. [RT #19717]
 

diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 54a6993e3e7cbf482173b6c1e066ad6e696119ca..9d463eb7979b01bb64a02edee88647ae32578a84 100644 (file)
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.c,v 1.6 2008/11/17 23:46:42 marka Exp $ */
+/* $Id: nsec3.c,v 1.6.12.1 2009/06/04 01:47:41 marka Exp $ */
 
 #include <config.h>
 
@@ -943,6 +943,42 @@ dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
        return (result);
 }
 
+/*%
+ * Determine whether any NSEC3 records that were associated with
+ * 'name' should be deleted or if they should continue to exist.
+ * ISC_TRUE indicates they should be deleted.
+ * ISC_FALSE indicates they should be retained.
+ */
+static isc_result_t
+deleteit(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+         isc_boolean_t *yesno)
+{
+        isc_result_t result;
+        dns_fixedname_t foundname;
+        dns_fixedname_init(&foundname);
+
+        result = dns_db_find(db, name, ver, dns_rdatatype_any,
+                             DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD,
+                             (isc_stdtime_t) 0, NULL,
+                             dns_fixedname_name(&foundname),
+                             NULL, NULL);
+       if (result == DNS_R_EMPTYNAME || result == ISC_R_SUCCESS ||
+           result ==  DNS_R_ZONECUT) {
+                *yesno = ISC_FALSE;
+                return (ISC_R_SUCCESS);
+       }
+        if (result == DNS_R_GLUE || result == DNS_R_DNAME ||
+            result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) {
+                *yesno = ISC_TRUE;
+                return (ISC_R_SUCCESS);
+        }
+       /*
+        * Silence compiler.
+        */
+       *yesno = ISC_TRUE;
+       return (result);
+}
+
 isc_result_t
 dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
                   const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff)
@@ -961,7 +997,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
        dns_rdata_t rdata = DNS_RDATA_INIT;
        dns_rdataset_t rdataset;
        int pass;
-       isc_boolean_t exists;
+       isc_boolean_t yesno;
        isc_buffer_t buffer;
        isc_result_t result;
        unsigned char *salt;
@@ -1096,8 +1132,8 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
                if (labels <= dns_name_countlabels(origin))
                        break;
                dns_name_getlabelsequence(&empty, 1, labels, &empty);
-               CHECK(name_exists(db, version, &empty, &exists));
-               if (exists)
+               CHECK(deleteit(db, version, &empty, &yesno));
+               if (!yesno)
                        break;
 
                CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,