2876. [bug] Named could return SERVFAIL for negative responses

                        from unsigned zones. [RT #21131]

diff --git a/CHANGES b/CHANGES
index d14fdd638f91b42720152c7fa843c17ec107aa3a..254997ec70ea46c4026dc27bd4c5a2bb38b39781 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2876.  [bug]           Named could return SERVFAIL for negative responses
+                       from unsigned zones. [RT #21131]
+
        --- 9.6.2-P1 released ---
 
 2852.  [bug]           Handle broken DNSSEC trust chains better. [RT #15619]

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 0ccdc41980cec80050bc96da820d9ec8d11f22a3..7144ae2ab6d8b3864382f9671bddca09957e809e 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.164.12.11.8.2 2010/02/25 10:57:12 tbox Exp $ */
+/* $Id: validator.c,v 1.164.12.11.8.3 2010/04/21 04:29:01 marka Exp $ */
 
 #include <config.h>
 
@@ -2961,7 +2961,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
        }
                findnsec3proofs(val);
 
-       if (val->authcount == val->authfail)
+       if (val->authfail != 0 && val->authcount == val->authfail)
                return (DNS_R_BROKENCHAIN);
        validator_log(val, ISC_LOG_DEBUG(3),
                      "nonexistence proof(s) not found");