ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Cleanup orphaned empty-non-terminal NSEC3

Browse Source 
When OPTOUT was in use we didn't ensure that NSEC3 records
for orphaned empty-non-terminals where removed.  Check if
there are orphaned empty-non-terminal NSEC3 even if there
wasn't an NSEC3 RRset to be removed in dns_nsec3_delnsec3.
This commit is contained in:
Mark Andrews
2023-04-21 12:11:15 +10:00
parent 2aff1d6efc
commit 27160c137f
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/dns/nsec3.c
View File

@@ -1440,7 +1440,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
result = dns_dbiterator_seek(dbit, hashname);
if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) {
goto success;
goto cleanup_orphaned_ents;
}
if (result != ISC_R_SUCCESS) {
goto failure;
@@ -1452,7 +1452,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
(isc_stdtime_t)0, &rdataset, NULL);
dns_db_detachnode(db, &node);
if (result == ISC_R_NOTFOUND) {
goto success;
goto cleanup_orphaned_ents;
}
if (result != ISC_R_SUCCESS) {
goto failure;
@@ -1537,6 +1537,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
/*
* Delete NSEC3 records for now non active nodes.
*/
cleanup_orphaned_ents:
dns_name_init(&empty, NULL);
dns_name_clone(name, &empty);
do {