From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 3 Jun 2026 12:40:17 +0000 (+0200)
Subject: - Fix negative cache NSEC3 nodata proof, to use the correct
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=1b1b9626ee20da679cec5a6d9838deef837c9c9d;p=thirdparty%2Funbound.git

- Fix negative cache NSEC3 nodata proof, to use the correct
  message size. Thanks to Qifan Zhang, Palo Alto Networks,
  for the report.
---

diff --git a/doc/Changelog b/doc/Changelog
index 2dce57cac..536c5c05d 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -20,6 +20,9 @@
 	- Fix PROXYv2 header read and consume, it checks the header
 	  size. Thanks to Qifan Zhang, Palo Alto Networks for
 	  the report.
+	- Fix negative cache NSEC3 nodata proof, to use the correct
+	  message size. Thanks to Qifan Zhang, Palo Alto Networks,
+	  for the report.
 
 3 June 2026: Yorgos
 	- Fix const as reported by newest compiler warnings.
diff --git a/validator/val_neg.c b/validator/val_neg.c
index 5ab04ac2c..5835fcbaf 100644
--- a/validator/val_neg.c
+++ b/validator/val_neg.c
@@ -1313,7 +1313,7 @@ neg_nsec3_proof_ds(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len,
 			!nsec3_has_type(ce_rrset, 0, LDNS_RR_TYPE_NS))
 			return NULL;
 		if(!(msg = dns_msg_create(qname, qname_len, 
-			LDNS_RR_TYPE_DS, zone->dclass, region, 1))) 
+			LDNS_RR_TYPE_DS, zone->dclass, region, 2))) /* ce + soa */
 			return NULL;
 		/* The cache response means recursion is available. */
 		msg->rep->flags |= BIT_RA;