- Fix negative cache NSEC3 nodata proof, to use the correct

  message size. Thanks to Qifan Zhang, Palo Alto Networks,
  for the report.

diff --git a/doc/Changelog b/doc/Changelog
index 2dce57cacc6ca6af3b3c3bb6e3b3ef57bc6c4f10..536c5c05d2c2de4cefb84bce639581702a199d50 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -20,6 +20,9 @@
        - Fix PROXYv2 header read and consume, it checks the header
          size. Thanks to Qifan Zhang, Palo Alto Networks for
          the report.
+       - Fix negative cache NSEC3 nodata proof, to use the correct
+         message size. Thanks to Qifan Zhang, Palo Alto Networks,
+         for the report.
 
 3 June 2026: Yorgos
        - Fix const as reported by newest compiler warnings.

diff --git a/validator/val_neg.c b/validator/val_neg.c
index 5ab04ac2ccace268f0275714b7cbcdcb2c77aed3..5835fcbafdf04547b500372015d2f1e7eacc6155 100644 (file)
--- a/validator/val_neg.c
+++ b/validator/val_neg.c
@@ -1313,7 +1313,7 @@ neg_nsec3_proof_ds(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len,
                        !nsec3_has_type(ce_rrset, 0, LDNS_RR_TYPE_NS))
                        return NULL;
                if(!(msg = dns_msg_create(qname, qname_len, 
-                       LDNS_RR_TYPE_DS, zone->dclass, region, 1))) 
+                       LDNS_RR_TYPE_DS, zone->dclass, region, 2))) /* ce + soa */
                        return NULL;
                /* The cache response means recursion is available. */
                msg->rep->flags |= BIT_RA;