From: Mark Andrews <marka@isc.org>
Date: Fri, 21 Apr 2023 02:11:15 +0000 (+1000)
Subject: Cleanup orphaned empty-non-terminal NSEC3
X-Git-Tag: v9.16.41~3^2~2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=3d8a2232565ac566a089ae562be3b6140db4d42f;p=thirdparty%2Fbind9.git

Cleanup orphaned empty-non-terminal NSEC3

When OPTOUT was in use we didn't ensure that NSEC3 records
for orphaned empty-non-terminals where removed.  Check if
there are orphaned empty-non-terminal NSEC3 even if there
wasn't an NSEC3 RRset to be removed in dns_nsec3_delnsec3.

(cherry picked from commit 27160c137fbe1d8af164210ec423359a2c2f1e13)
---

diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 520b031117e..7f685808285 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1443,7 +1443,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
 
 	result = dns_dbiterator_seek(dbit, hashname);
 	if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) {
-		goto success;
+		goto cleanup_orphaned_ents;
 	}
 	if (result != ISC_R_SUCCESS) {
 		goto failure;
@@ -1455,7 +1455,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
 				     (isc_stdtime_t)0, &rdataset, NULL);
 	dns_db_detachnode(db, &node);
 	if (result == ISC_R_NOTFOUND) {
-		goto success;
+		goto cleanup_orphaned_ents;
 	}
 	if (result != ISC_R_SUCCESS) {
 		goto failure;
@@ -1540,6 +1540,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
 	/*
 	 *  Delete NSEC3 records for now non active nodes.
 	 */
+cleanup_orphaned_ents:
 	dns_name_init(&empty, NULL);
 	dns_name_clone(name, &empty);
 	do {