2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure

                        delegation.

diff --git a/CHANGES b/CHANGES
index 8d7aaf0d93fca8ed3906b429481cb1e554b7a761..4ab282a4ff67036925ce572c63f7473ec17e4880 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
 
        --- 9.6.0rc1 released ---
 
+2497.  [bug]           Don't add RRSIG bit to NSEC3 bit map for insecure
+                       delegation.
+
 2496.  [bug]           Add sanity length checks to NSID option. [RT #18813]
 
 2495.  [bug]           Tighten RRSIG checks. [RT #18795]

diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index edcd1fd2c908c93ea8f1aef9b1000402707e6b2c..54a6993e3e7cbf482173b6c1e066ad6e696119ca 100644 (file)
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.c,v 1.5 2008/09/26 01:24:55 marka Exp $ */
+/* $Id: nsec3.c,v 1.6 2008/11/17 23:46:42 marka Exp $ */
 
 #include <config.h>
 
@@ -152,7 +152,9 @@ dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
                        if (rdataset.type > max_type)
                                max_type = rdataset.type;
                        set_bit(bm, rdataset.type, 1);
-                       found = ISC_TRUE;
+                       /* Don't set RRSIG for insecure delegation. */
+                       if (rdataset.type != dns_rdatatype_ns)
+                               found = ISC_TRUE;
                }
                dns_rdataset_disassociate(&rdataset);
        }