2754. [bug] Secure-to-insecure transitions failed when zone

			was signed with NSEC3. [RT #20587]

diff --git a/CHANGES b/CHANGES
index 2ec43ff45bf4cdf5e24c43fe9a50746bad6ce6a2..dd11d75f4153f1e0ed5151e9bb2ee88f1393d6f8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2754.  [bug]           Secure-to-insecure transitions failed when zone
+                       was signed with NSEC3. [RT #20587]
+
 2753.  [bug]           Removed an unnecessary warning that could appear when
                        building an NSEC chain. [RT #20588]
 

diff --git a/bin/named/update.c b/bin/named/update.c
index 140c8493af9e85e2e0452878d158e803dac1b38e..0c82ebbf86cfd00ee0ad9aa731cc0b99e092dfe3 100644 (file)
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.166 2009/10/27 05:42:25 marka Exp $ */
+/* $Id: update.c,v 1.167 2009/11/06 08:38:56 each Exp $ */
 
 #include <config.h>
 
@@ -3043,14 +3043,15 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
        CHECK(dns_nsec_nseconly(db, ver, &flag));
 
        if (flag)
-               CHECK(dns_nsec3_activex(db, ver, ISC_FALSE, privatetype, &flag));
+               CHECK(dns_nsec3_activex(db, ver, ISC_FALSE,
+                                       privatetype, &flag));
        if (flag) {
                update_log(client, zone, ISC_LOG_WARNING,
                           "NSEC only DNSKEYs and NSEC3 chains not allowed");
        } else {
                CHECK(get_iterations(db, ver, privatetype, &iterations));
                CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
-               if (iterations > max) {
+               if (max != 0 && iterations > max) {
                        flag = ISC_TRUE;
                        update_log(client, zone, ISC_LOG_WARNING,
                                   "too many NSEC3 iterations (%u) for "