3124. [bug] Use an rdataset attribute flag to indicate

			negative-cache records rather than using rrtype 0;
			this will prevent problems when that rrtype is
			used in actual DNS packets.  [RT #24777]

diff --git a/CHANGES b/CHANGES
index 3f46a38d79fdbcacb89fe426a4bf643efdec9780..e3281420514bacd641910fbd6547140814d57838 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,11 @@
                        RPZ caused named to exit with a assertion failure.
                        [RT #24715]
 
+3124.  [bug]           Use an rdataset attribute flag to indicate
+                       negative-cache records rather than using rrtype 0;
+                       this will prevent problems when that rrtype is
+                       used in actual DNS packets.  [RT #24777]
+
 3123.  [security]      Change #2912 exposed a latent flaw in
                        dns_rdataset_totext() that could cause named to
                        crash with an assertion failure. [RT #24777]

diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index 6905233cc9b660943a6a4f90b4d893a9008e13e2..7912bdddc33de7d2cfa9e1c86108e30c851c8131 100644 (file)
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.69.270.2 2011/06/02 23:47:35 tbox Exp $ */
+/* $Id: rdataset.h,v 1.69.270.3 2011/06/21 20:15:54 each Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
@@ -203,6 +203,7 @@ struct dns_rdataset {
 #define DNS_RDATASETATTR_RESIGN                0x00040000
 #define DNS_RDATASETATTR_CLOSEST       0x00080000
 #define DNS_RDATASETATTR_OPTOUT                0x00100000      /*%< OPTOUT proof */
+#define DNS_RDATASETATTR_NEGATIVE      0x00200000
 
 /*%
  * _OMITDNSSEC:

diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
index 186620904316cc66b6941131c427bbb33dd89f37..bb5526bf1028d64a28fef7ba6ecd721a02a997dc 100644 (file)
--- a/lib/dns/masterdump.c
+++ b/lib/dns/masterdump.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.c,v 1.99.328.2 2011/06/02 23:47:35 tbox Exp $ */
+/* $Id: masterdump.c,v 1.99.328.3 2011/06/21 20:15:47 each Exp $ */
 
 /*! \file */
 
@@ -410,6 +410,7 @@ rdataset_totext(dns_rdataset_t *rdataset,
        isc_uint32_t current_ttl;
        isc_boolean_t current_ttl_valid;
        dns_rdatatype_t type;
+       unsigned int type_start;
 
        REQUIRE(DNS_RDATASET_VALID(rdataset));
 
@@ -491,29 +492,26 @@ rdataset_totext(dns_rdataset_t *rdataset,
                 * Type.
                 */
 
-               if (rdataset->type == 0) {
+               if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
                        type = rdataset->covers;
                } else {
                        type = rdataset->type;
                }
 
-               {
-                       unsigned int type_start;
-                       INDENT_TO(type_column);
-                       type_start = target->used;
-                       if (rdataset->type == 0)
-                               RETERR(str_totext("\\-", target));
-                       result = dns_rdatatype_totext(type, target);
-                       if (result != ISC_R_SUCCESS)
-                               return (result);
-                       column += (target->used - type_start);
-               }
+               INDENT_TO(type_column);
+               type_start = target->used;
+               if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+                       RETERR(str_totext("\\-", target));
+               result = dns_rdatatype_totext(type, target);
+               if (result != ISC_R_SUCCESS)
+                       return (result);
+               column += (target->used - type_start);
 
                /*
                 * Rdata.
                 */
                INDENT_TO(rdata_column);
-               if (rdataset->type == 0) {
+               if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
                        if (NXDOMAIN(rdataset))
                                RETERR(str_totext(";-$NXDOMAIN\n", target));
                        else
@@ -876,7 +874,7 @@ dump_rdatasets_text(isc_mem_t *mctx, dns_name_t *name,
                if (ctx->style.flags & DNS_STYLEFLAG_TRUST) {
                        fprintf(f, "; %s\n", dns_trust_totext(rds->trust));
                }
-               if (rds->type == 0 &&
+               if (((rds->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) &&
                    (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
                        /* Omit negative cache entries */
                } else {
@@ -1041,7 +1039,7 @@ dump_rdatasets_raw(isc_mem_t *mctx, dns_name_t *name,
                dns_rdataset_init(&rdataset);
                dns_rdatasetiter_current(rdsiter, &rdataset);
 
-               if (rdataset.type == 0 &&
+               if (((rdataset.attributes & DNS_RDATASETATTR_NEGATIVE) != 0) &&
                    (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
                        /* Omit negative cache entries */
                } else {

diff --git a/lib/dns/message.c b/lib/dns/message.c
index 87eae63034bf649913f7042a7843773757fb2fbe..af19bcd2d0b7b256562a2b77b7e5be8a093df71f 100644 (file)
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.254.186.2 2011/06/08 23:47:27 tbox Exp $ */
+/* $Id: message.c,v 1.254.186.3 2011/06/21 20:15:47 each Exp $ */
 
 /*! \file */
 
@@ -2516,7 +2516,7 @@ dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
 
 isc_result_t
 dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
-       unsigned int first_section;
+       unsigned int clear_after;
        isc_result_t result;
 
        REQUIRE(DNS_MESSAGE_VALID(msg));
@@ -2528,15 +2528,15 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
            msg->opcode != dns_opcode_notify)
                want_question_section = ISC_FALSE;
        if (msg->opcode == dns_opcode_update)
-               first_section = DNS_SECTION_PREREQUISITE;
+               clear_after = DNS_SECTION_PREREQUISITE;
        else if (want_question_section) {
                if (!msg->question_ok)
                        return (DNS_R_FORMERR);
-               first_section = DNS_SECTION_ANSWER;
+               clear_after = DNS_SECTION_ANSWER;
        } else
-               first_section = DNS_SECTION_QUESTION;
+               clear_after = DNS_SECTION_QUESTION;
        msg->from_to_wire = DNS_MESSAGE_INTENTRENDER;
-       msgresetnames(msg, first_section);
+       msgresetnames(msg, clear_after);
        msgresetopt(msg);
        msgresetsigs(msg, ISC_TRUE);
        msginitprivate(msg);

diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index 7f6a45d3852a1efddf85ba702ef8ea5d3d1347d9..70746783fcbe382b20b60ee968a23b64c692203f 100644 (file)
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.50.124.1.2.2 2011/06/02 23:47:35 tbox Exp $ */
+/* $Id: ncache.c,v 1.50.124.1.2.3 2011/06/21 20:15:47 each Exp $ */
 
 /*! \file */
 
@@ -243,6 +243,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
        RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
                      == ISC_R_SUCCESS);
        ncrdataset.trust = trust;
+       ncrdataset.attributes |= DNS_RDATASETATTR_NEGATIVE;
        if (message->rcode == dns_rcode_nxdomain)
                ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
        if (optout)
@@ -273,6 +274,7 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 
        REQUIRE(rdataset != NULL);
        REQUIRE(rdataset->type == 0);
+       REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
 
        savedbuffer = *target;
        count = 0;
@@ -501,6 +503,7 @@ dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
 
        REQUIRE(ncacherdataset != NULL);
        REQUIRE(ncacherdataset->type == 0);
+       REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
        REQUIRE(name != NULL);
        REQUIRE(!dns_rdataset_isassociated(rdataset));
        REQUIRE(type != dns_rdatatype_rrsig);
@@ -577,6 +580,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
 
        REQUIRE(ncacherdataset != NULL);
        REQUIRE(ncacherdataset->type == 0);
+       REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
        REQUIRE(name != NULL);
        REQUIRE(!dns_rdataset_isassociated(rdataset));
 
@@ -676,6 +680,7 @@ dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found,
 
        REQUIRE(ncacherdataset != NULL);
        REQUIRE(ncacherdataset->type == 0);
+       REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
        REQUIRE(found != NULL);
        REQUIRE(!dns_rdataset_isassociated(rdataset));
 

diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index e1caac776f36115ab79b5e30f3f3bc909449cf12..1565d97a91ca198d7a79d6ff3dbf7459dac44078 100644 (file)
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.c,v 1.19 2010/12/07 02:53:34 marka Exp $ */
+/* $Id: nsec3.c,v 1.19.96.1 2011/06/21 20:15:48 each Exp $ */
 
 #include <config.h>
 
@@ -1579,7 +1579,7 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 
 isc_result_t
 dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-                    dns_rdatatype_t type, dns_diff_t *diff)
+                    dns_rdatatype_t privatetype, dns_diff_t *diff)
 {
        dns_dbnode_t *node = NULL;
        dns_rdata_nsec3param_t nsec3param;
@@ -1624,9 +1624,9 @@ dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
        dns_rdataset_disassociate(&rdataset);
 
  try_private:
-       if (type == 0)
+       if (privatetype == 0)
                goto success;
-       result = dns_db_findrdataset(db, node, version, type, 0, 0,
+       result = dns_db_findrdataset(db, node, version, privatetype, 0, 0,
                                     &rdataset, NULL);
        if (result == ISC_R_NOTFOUND)
                goto success;
@@ -1681,7 +1681,7 @@ dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
 
 isc_result_t
 dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
-                 isc_boolean_t complete, dns_rdatatype_t type,
+                 isc_boolean_t complete, dns_rdatatype_t privatetype,
                  isc_boolean_t *answer)
 {
        dns_dbnode_t *node = NULL;
@@ -1730,11 +1730,11 @@ dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
                *answer = ISC_FALSE;
 
  try_private:
-       if (type == 0 || complete) {
+       if (privatetype == 0 || complete) {
                *answer = ISC_FALSE;
                return (ISC_R_SUCCESS);
        }
-       result = dns_db_findrdataset(db, node, version, type, 0, 0,
+       result = dns_db_findrdataset(db, node, version, privatetype, 0, 0,
                                     &rdataset, NULL);
 
        dns_db_detachnode(db, &node);

diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index f6d48486b0b0072bb5061d6c367fdbc42e7a4030..2409ce7e63743a24089c873b05708fd7c7b02fee 100644 (file)
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.310.8.1 2011/02/18 23:23:08 each Exp $ */
+/* $Id: rbtdb.c,v 1.310.8.1.2.1 2011/06/21 20:15:48 each Exp $ */
 
 /*! \file */
 
@@ -279,6 +279,7 @@ typedef ISC_LIST(dns_rbtnode_t)         rbtnodelist_t;
 #define RDATASET_ATTR_RESIGN            0x0020
 #define RDATASET_ATTR_STATCOUNT         0x0040
 #define RDATASET_ATTR_OPTOUT           0x0080
+#define RDATASET_ATTR_NEGATIVE          0x0100
 
 typedef struct acache_cbarg {
        dns_rdatasetadditional_t        type;
@@ -317,6 +318,8 @@ struct acachectl {
        (((header)->attributes & RDATASET_ATTR_RESIGN) != 0)
 #define OPTOUT(header) \
        (((header)->attributes & RDATASET_ATTR_OPTOUT) != 0)
+#define NEGATIVE(header) \
+       (((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0)
 
 #define DEFAULT_NODE_LOCK_COUNT         7       /*%< Should be prime. */
 
@@ -696,11 +699,13 @@ update_rrsetstats(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
        /* At the moment we count statistics only for cache DB */
        INSIST(IS_CACHE(rbtdb));
 
-       if (NXDOMAIN(header))
-               statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN;
-       else if (RBTDB_RDATATYPE_BASE(header->type) == 0) {
-               statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET;
-               base = RBTDB_RDATATYPE_EXT(header->type);
+       if (NEGATIVE(header)) {
+               if (NXDOMAIN(header))
+                       statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN;
+               else {
+                       statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET;
+                       base = RBTDB_RDATATYPE_EXT(header->type);
+               }
        } else
                base = RBTDB_RDATATYPE_BASE(header->type);
 
@@ -2780,6 +2785,8 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
        rdataset->covers = RBTDB_RDATATYPE_EXT(header->type);
        rdataset->ttl = header->rdh_ttl - now;
        rdataset->trust = header->trust;
+       if (NEGATIVE(header))
+               rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE;
        if (NXDOMAIN(header))
                rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
        if (OPTOUT(header))
@@ -5011,7 +5018,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
                *nodep = node;
        }
 
-       if (RBTDB_RDATATYPE_BASE(found->type) == 0) {
+       if (NEGATIVE(found)) {
                /*
                 * We found a negative cache entry.
                 */
@@ -5680,7 +5687,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
        if (found == NULL)
                return (ISC_R_NOTFOUND);
 
-       if (RBTDB_RDATATYPE_BASE(found->type) == 0) {
+       if (NEGATIVE(found)) {
                /*
                 * We found a negative cache entry.
                 */
@@ -5891,7 +5898,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
        negtype = 0;
        if (rbtversion == NULL && !newheader_nx) {
                rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
-               if (rdtype == 0) {
+               if (NEGATIVE(newheader)) {
                        /*
                         * We're adding a negative cache entry.
                         */
@@ -6433,6 +6440,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
        } else {
                newheader->serial = 1;
                newheader->resign = 0;
+               if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+                       newheader->attributes |= RDATASET_ATTR_NEGATIVE;
                if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
                        newheader->attributes |= RDATASET_ATTR_NXDOMAIN;
                if ((rdataset->attributes & DNS_RDATASETATTR_OPTOUT) != 0)
@@ -8158,7 +8167,7 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 
        type = header->type;
        rdtype = RBTDB_RDATATYPE_BASE(header->type);
-       if (rdtype == 0) {
+       if (NEGATIVE(header)) {
                covers = RBTDB_RDATATYPE_EXT(header->type);
                negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
        } else

diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index ca37e8475f1310c7bd34eaef80284b3efc8fee9f..5835c92e58c5edfef5e1ac34201c78c923af4abc 100644 (file)
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.86.220.2 2011/06/02 23:47:35 tbox Exp $ */
+/* $Id: rdataset.c,v 1.86.220.3 2011/06/21 20:15:53 each Exp $ */
 
 /*! \file */
 
@@ -345,7 +345,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
                count = 1;
                result = dns_rdataset_first(rdataset);
                INSIST(result == ISC_R_NOMORE);
-       } else if (rdataset->type == 0) {
+       } else if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
                /*
                 * This is a negative caching rdataset.
                 */

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index e07d2a293cfd5232d42d8465ffdfc6e21e9141f4..fcb940e3b967edbae9a6513efc33f78106414478 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.428.6.5 2011/02/18 23:41:51 mgraff Exp $ */
+/* $Id: resolver.c,v 1.428.6.5.2.1 2011/06/21 20:15:53 each Exp $ */
 
 /*! \file */
 
@@ -435,6 +435,7 @@ struct dns_resolver {
                                         FCTX_ADDRINFO_TRIED) != 0)
 
 #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
 
 static void destroy(dns_resolver_t *res);
 static void empty_bucket(dns_resolver_t *res);
@@ -1059,7 +1060,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
                 * Negative results must be indicated in event->result.
                 */
                if (dns_rdataset_isassociated(event->rdataset) &&
-                   event->rdataset->type == dns_rdatatype_none) {
+                   NEGATIVE(event->rdataset)) {
                        INSIST(event->result == DNS_R_NCACHENXDOMAIN ||
                               event->result == DNS_R_NCACHENXRRSET);
                }
@@ -4164,7 +4165,7 @@ validated(isc_task_t *task, isc_event_t *event) {
        if (result != ISC_R_SUCCESS &&
            result != DNS_R_UNCHANGED)
                goto noanswer_response;
-       if (ardataset != NULL && ardataset->type == 0) {
+       if (ardataset != NULL && NEGATIVE(ardataset)) {
                if (NXDOMAIN(ardataset))
                        eresult = DNS_R_NCACHENXDOMAIN;
                else
@@ -4485,7 +4486,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
                                        result = ISC_R_SUCCESS;
                                        if (!need_validation &&
                                            ardataset != NULL &&
-                                           ardataset->type == 0) {
+                                           NEGATIVE(ardataset)) {
                                                /*
                                                 * The answer in the cache is
                                                 * better than the answer we
@@ -4615,7 +4616,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
                        if (result == DNS_R_UNCHANGED) {
                                if (ANSWER(rdataset) &&
                                    ardataset != NULL &&
-                                   ardataset->type == 0) {
+                                   NEGATIVE(ardataset)) {
                                        /*
                                         * The answer in the cache is better
                                         * than the answer we found, and is
@@ -4645,7 +4646,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
                         * Negative results must be indicated in event->result.
                         */
                        if (dns_rdataset_isassociated(event->rdataset) &&
-                           event->rdataset->type == dns_rdatatype_none) {
+                           NEGATIVE(event->rdataset)) {
                                INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
                                       eresult == DNS_R_NCACHENXRRSET);
                        }
@@ -4725,7 +4726,7 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
                 * care about whether it is DNS_R_NCACHENXDOMAIN or
                 * DNS_R_NCACHENXRRSET then extract it.
                 */
-               if (ardataset->type == 0) {
+               if (NEGATIVE(ardataset)) {
                        /*
                         * The cache data is a negative cache entry.
                         */

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 45fe8df6141b0c4ecd73f82bf5fd65cd6dd88aca..d088387c7b177ecd08ee76ac7d77fbf42ed8bd12 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.197.40.2 2011/06/02 23:47:35 tbox Exp $ */
+/* $Id: validator.c,v 1.197.40.3 2011/06/21 20:15:54 each Exp $ */
 
 #include <config.h>
 
@@ -129,6 +129,8 @@
 #define SHUTDOWN(v)            (((v)->attributes & VALATTR_SHUTDOWN) != 0)
 #define CANCELED(v)            (((v)->attributes & VALATTR_CANCELED) != 0)
 
+#define NEGATIVE(r)    (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+
 static void
 destroy(dns_validator_t *val);
 
@@ -742,7 +744,7 @@ dsvalidated(isc_task_t *task, isc_event_t *event) {
                name = dns_fixedname_name(&val->fname);
                if ((val->attributes & VALATTR_INSECURITY) != 0 &&
                    val->frdataset.covers == dns_rdatatype_ds &&
-                   val->frdataset.type == 0 &&
+                   NEGATIVE(&val->frdataset) &&
                    isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) {
                        if (val->mustbesecure) {
                                validator_log(val, ISC_LOG_WARNING,
@@ -3974,7 +3976,7 @@ validator_start(isc_task_t *task, isc_event_t *event) {
                        val->attributes |= VALATTR_NEEDNODATA;
                result = nsecvalidate(val, ISC_FALSE);
        } else if (val->event->rdataset != NULL &&
-                   val->event->rdataset->type == 0)
+                   NEGATIVE(val->event->rdataset))
        {
                /*
                 * This is a nonexistence validation.