4778. [test] Improve synth-from-dnssec testing. [RT #46352]

diff --git a/CHANGES b/CHANGES
index dac0ca6cc8e1cc5c931791baad4e27c1a3c9e01f..4a3278cebe1b4f1a571671786bcecaaca4126202 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+4778.  [test]          Improve synth-from-dnssec testing. [RT #46352]
+
 4777.  [cleanup]       Removed a redundant call to configure_view_acl().
                        [RT #46369]
 

diff --git a/bin/tests/system/synthfromdnssec/ns4/named.conf b/bin/tests/system/synthfromdnssec/ns4/named.conf
new file mode 100644 (file)
index 0000000..514a3b1
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns4/named.conf
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+// NS4
+
+controls { /* empty */ };
+
+options {
+       query-source address 10.53.0.4;
+       notify-source 10.53.0.4;
+       transfer-source 10.53.0.4;
+       port 5300;
+       pid-file "named.pid";
+       listen-on { 10.53.0.4; };
+       listen-on-v6 { none; };
+       recursion yes;
+       notify no;
+       dnssec-enable yes;
+       dnssec-validation yes;
+       synth-from-dnssec no;
+};
+
+zone "." {
+       type hint;
+       file "root.hints";
+};
+
+include "../ns1/trusted.conf";
+// include "../../common/controls.conf";

diff --git a/bin/tests/system/synthfromdnssec/ns4/root.hints b/bin/tests/system/synthfromdnssec/ns4/root.hints
new file mode 100644 (file)
index 0000000..42f5ffd
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns4/root.hints
@@ -0,0 +1,8 @@
+; Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+.      NS      ns1
+ns1    A       10.53.0.1

diff --git a/bin/tests/system/synthfromdnssec/ns5/named.conf b/bin/tests/system/synthfromdnssec/ns5/named.conf
new file mode 100644 (file)
index 0000000..7c8bc4b
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns5/named.conf
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+// NS5
+
+controls { /* empty */ };
+
+options {
+       query-source address 10.53.0.5;
+       notify-source 10.53.0.5;
+       transfer-source 10.53.0.5;
+       port 5300;
+       pid-file "named.pid";
+       listen-on { 10.53.0.5; };
+       listen-on-v6 { none; };
+       recursion yes;
+       notify no;
+       dnssec-enable yes;
+       dnssec-validation yes;
+       synth-from-dnssec yes;
+};
+
+zone "." {
+       type hint;
+       file "root.hints";
+};
+
+include "../ns1/trusted.conf";

diff --git a/bin/tests/system/synthfromdnssec/ns5/root.hints b/bin/tests/system/synthfromdnssec/ns5/root.hints
new file mode 100644 (file)
index 0000000..42f5ffd
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns5/root.hints
@@ -0,0 +1,8 @@
+; Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+.      NS      ns1
+ns1    A       10.53.0.1

diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh
index a80d21bc3a8c9b93dddca80a69da3ad4084cf397..47b956be7dbc08b5557558715a1e4760283d4774 100644 (file)
--- a/bin/tests/system/synthfromdnssec/tests.sh
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@@ -17,49 +17,58 @@ rm -f dig.out.*
 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
 DELVOPTS="-a ns1/trusted.conf -p 5300"
 
-echo "I:prime negative NXDOMAIN response ($n)"
-ret=0
-$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
-grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
-grep "status: NXDOMAIN," dig.out.ns2.test$n > /dev/null || ret=1
-grep "example.*3600.IN.SOA" dig.out.ns2.test$n > /dev/null || ret=1
-nxdomain=dig.out.ns2.test$n
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-echo "I:prime negative NODATA response ($n)"
-ret=0
-$DIG $DIGOPTS nodata.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
-grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
-grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1
-grep "example.*3600.IN.SOA" dig.out.ns2.test$n > /dev/null || ret=1
-nodata=dig.out.ns2.test$n
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-echo "I:prime wildcard response ($n)"
-ret=0
-$DIG $DIGOPTS a.wild-a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
-grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
-grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1
-grep "a.wild-a.example.*3600.IN.A" dig.out.ns2.test$n > /dev/null || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-echo "I:prime wildcard CNAME response ($n)"
-ret=0
-$DIG $DIGOPTS a.wild-cname.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
-grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
-grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1
-grep "a.wild-cname.example.*3600.IN.CNAME" dig.out.ns2.test$n > /dev/null || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-echo "I:prime redirect response (+nodnssec) ($n)"
+for ns in 2 4 5
+do
+    case $ns in
+    2) description="<default>";;
+    4) description="no";;
+    5) description="yes";;
+    *) exit 1;;
+    esac
+    echo "I:prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    $DIG $DIGOPTS a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NXDOMAIN," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    [ $ns -eq ${ns} ] && nxdomain=dig.out.ns${ns}.test$n
+    n=`expr $n + 1`
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+
+    echo "I:prime negative NODATA response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    $DIG $DIGOPTS nodata.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    [ $ns -eq 2 ] && nodata=dig.out.ns${ns}.test$n
+    n=`expr $n + 1`
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+
+    echo "I:prime wildcard response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    $DIG $DIGOPTS a.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "a.wild-a.example.*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    n=`expr $n + 1`
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+
+    echo "I:prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    $DIG $DIGOPTS a.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "a.wild-cname.example.*3600.IN.CNAME" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    n=`expr $n + 1`
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+done
+
+echo "I:prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
 ret=0
 $DIG $DIGOPTS +nodnssec a.redirect. @10.53.0.3 a > dig.out.ns2.test$n || ret=1
 grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null && ret=1
@@ -69,54 +78,88 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+#
+# ensure TTL of synthesised answers differs from direct answers.
+#
 sleep 1
 
-$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 dumpdb
-
-echo "I:check synthesized NXDOMAIN response ($n)"
-ret=0
-$DIG $DIGOPTS b.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
-grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
-grep "status: NXDOMAIN," dig.out.ns2.test$n > /dev/null || ret=1
-grep "example.*3600.IN.SOA" dig.out.ns2.test$n > /dev/null && ret=1
-$PERL ../digcomp.pl $nxdomain dig.out.ns2.test$n || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-echo "I:check synthesized NODATA response ($n)"
-ret=0
-$DIG $DIGOPTS nodata.example. @10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
-grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
-grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1
-grep "example.*3600.IN.SOA" dig.out.ns2.test$n > /dev/null && ret=1
-$PERL ../digcomp.pl $nodata dig.out.ns2.test$n || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-echo "I:check synthesized wildcard response ($n)"
-ret=0
-$DIG $DIGOPTS b.wild-a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
-grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
-grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1
-grep "b\.wild-a\.example\..*3600.IN.A" dig.out.ns2.test$n > /dev/null && ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-echo "I:check synthesized wildcard CNAME response ($n)"
-ret=0
-$DIG $DIGOPTS b.wild-cname.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
-grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
-grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1
-grep "b.wild-cname.example.*3600.IN.CNAME" dig.out.ns2.test$n > /dev/null && ret=1
-grep "ns1.example.*.IN.A" dig.out.ns2.test$n > /dev/null || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-echo "I:check redirect response (+dnssec) ($n)"
+for ns in 2 4 5
+do
+    case $ns in
+    2) synth=yes description="<default>";;
+    4) synth=no  description="no";;
+    5) synth=yes description="yes";;
+    *) exit 1;;
+    esac
+    echo "I:check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    $DIG $DIGOPTS b.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NXDOMAIN," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    if [ ${synth} = yes ]
+    then
+       grep "example.*IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
+       grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null && ret=1
+    else
+       grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    fi
+    $PERL ../digcomp.pl $nxdomain dig.out.ns${ns}.test$n || ret=1
+    n=`expr $n + 1`
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+
+    echo "I:check synthesized NODATA response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    $DIG $DIGOPTS nodata.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    if [ ${synth} = yes ]
+    then
+       grep "example.*IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
+       grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null && ret=1
+    else
+       grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    fi
+    $PERL ../digcomp.pl $nodata dig.out.ns${ns}.test$n || ret=1
+    n=`expr $n + 1`
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+
+    echo "I:check synthesized wildcard response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    $DIG $DIGOPTS b.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    if [ ${synth} = yes ]
+    then
+           grep "b\.wild-a\.example\..*IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+           grep "b\.wild-a\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null && ret=1
+    else
+           grep "b\.wild-a\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    fi
+    n=`expr $n + 1`
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+
+    echo "I:check synthesized wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    $DIG $DIGOPTS b.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    if [ ${synth} = yes ]
+    then
+       grep "b.wild-cname.example.*IN.CNAME" dig.out.ns${ns}.test$n > /dev/null || ret=1
+       grep "b.wild-cname.example.*3600.IN.CNAME" dig.out.ns${ns}.test$n > /dev/null && ret=1
+    else
+       grep "b.wild-cname.example.*3600.IN.CNAME" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    fi
+    grep "ns1.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    n=`expr $n + 1`
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+done
+
+echo "I:check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"
 ret=0
 $DIG $DIGOPTS b.redirect. @10.53.0.3 a > dig.out.ns2.test$n || ret=1
 grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
@@ -126,7 +169,7 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
-echo "I:check redirect response (+nodnssec) ($n)"
+echo "I:check redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
 ret=0
 $DIG $DIGOPTS +nodnssec b.redirect. @10.53.0.3 a > dig.out.ns2.test$n || ret=1
 grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null && ret=1

diff --git a/lib/ns/query.c b/lib/ns/query.c
index fdd2d7aad2d95f2097388e190d44850ec65883b2..fb9fb230571baf30fbe95811d684bc5fbf671a4a 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -8338,6 +8338,38 @@ log_noexistnodata(void *val, int level, const char *fmt, ...) {
        va_end(ap);
 }
 
+static dns_ttl_t
+query_synthttl(dns_rdataset_t *soardataset, dns_rdataset_t *sigsoardataset,
+              dns_rdataset_t *p1rdataset, dns_rdataset_t *sigp1rdataset,
+              dns_rdataset_t *p2rdataset, dns_rdataset_t *sigp2rdataset)
+{
+       dns_rdata_soa_t soa;
+       dns_rdata_t rdata = DNS_RDATA_INIT;
+       dns_ttl_t ttl;
+       isc_result_t result;
+
+       REQUIRE(soardataset != NULL);
+       REQUIRE(sigsoardataset != NULL);
+       REQUIRE(p1rdataset != NULL);
+       REQUIRE(sigp1rdataset != NULL);
+
+       result = dns_rdataset_first(soardataset);
+       RUNTIME_CHECK(result == ISC_R_SUCCESS);
+       dns_rdataset_current(soardataset, &rdata);
+       dns_rdata_tostruct(&rdata, &soa, NULL);
+
+       ttl = ISC_MIN(soa.minimum, soardataset->ttl);
+       ttl = ISC_MIN(ttl, sigsoardataset->ttl);
+       ttl = ISC_MIN(ttl, p1rdataset->ttl);
+       ttl = ISC_MIN(ttl, sigp1rdataset->ttl);
+       if (p2rdataset != NULL)
+               ttl = ISC_MIN(ttl, p2rdataset->ttl);
+       if (sigp2rdataset != NULL)
+               ttl = ISC_MIN(ttl, sigp2rdataset->ttl);
+
+       return (ttl);
+}
+
 /*
  * Synthesize a NODATA response from the SOA and covering NSEC in cache.
  */
@@ -8354,10 +8386,9 @@ query_synthnodata(query_ctx_t *qctx, const dns_name_t *signer,
        /*
         * Detemine the correct TTL to use for the SOA and RRSIG
         */
-       ttl = ISC_MIN(qctx->rdataset->ttl, qctx->sigrdataset->ttl);
-       ttl = ISC_MIN(ttl, (*soardatasetp)->ttl);
-       ttl = ISC_MIN(ttl, (*sigsoardatasetp)->ttl);
-
+       ttl = query_synthttl(*soardatasetp, *sigsoardatasetp,
+                            qctx->rdataset, qctx->sigrdataset,
+                            NULL, NULL);
        (*soardatasetp)->ttl = (*sigsoardatasetp)->ttl = ttl;
 
        /*
@@ -8559,15 +8590,15 @@ query_synthcnamewildcard(query_ctx_t *qctx, dns_rdataset_t *rdataset,
 
 /*
  * Synthesize a NXDOMAIN response from qctx (which contains the
- * NODATA proof), nowild + rdataset + sigrdataset (which contains
- * the NOWILDCARD proof) and signer + soardatasetp + sigsoardatasetp
+ * NODATA proof), nowild + nowildrdataset + signowildrdataset (which
+ * contains the NOWILDCARD proof) and signer + soardatasetp + sigsoardatasetp
  * which contain the SOA record + RRSIG for the negative answer.
  */
 static isc_result_t
 query_synthnxdomain(query_ctx_t *qctx,
                    dns_name_t *nowild,
-                   dns_rdataset_t *rdataset,
-                   dns_rdataset_t *sigrdataset,
+                   dns_rdataset_t *nowildrdataset,
+                   dns_rdataset_t *signowildrdataset,
                    dns_name_t *signer,
                    dns_rdataset_t **soardatasetp,
                    dns_rdataset_t **sigsoardatasetp)
@@ -8581,12 +8612,9 @@ query_synthnxdomain(query_ctx_t *qctx,
        /*
         * Detemine the correct TTL to use for the SOA and RRSIG
         */
-       ttl = ISC_MIN(qctx->rdataset->ttl, qctx->sigrdataset->ttl);
-       ttl = ISC_MIN(ttl, rdataset->ttl);
-       ttl = ISC_MIN(ttl, sigrdataset->ttl);
-       ttl = ISC_MIN(ttl, (*soardatasetp)->ttl);
-       ttl = ISC_MIN(ttl, (*sigsoardatasetp)->ttl);
-
+       ttl = query_synthttl(*soardatasetp, *sigsoardatasetp,
+                            qctx->rdataset, qctx->sigrdataset,
+                            nowildrdataset, signowildrdataset);
        (*soardatasetp)->ttl = (*sigsoardatasetp)->ttl = ttl;
 
        /*
@@ -8651,8 +8679,8 @@ query_synthnxdomain(query_ctx_t *qctx,
                        goto cleanup;
                }
 
-               dns_rdataset_clone(rdataset, clone);
-               dns_rdataset_clone(sigrdataset, sigclone);
+               dns_rdataset_clone(nowildrdataset, clone);
+               dns_rdataset_clone(signowildrdataset, sigclone);
 
                /*
                 * Add NOWILDCARD proof.