From e633398010fe4e173df47b57fd43da594af96c7c Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 23 Aug 2022 10:54:42 +0200
Subject: [PATCH 1/2] nsec3.c: Add a missing dns_db_detachnode() call

There is one case in 'dns_nsec3_activex()' where it returns but forgets
to detach the db node. Add the missing 'dns_db_detachnode()' call.

This case only triggers if 'sig-signing-type' (privatetype) is set to 0
(which by default is not), or if the function is called with 'complete'
is set to 'true' (which at this moment do not exist).
---
 lib/dns/nsec3.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index fca6459343..253de1cab7 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1830,6 +1830,7 @@ dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, bool complete,
 
 try_private:
 	if (privatetype == 0 || complete) {
+		dns_db_detachnode(db, &node);
 		*answer = false;
 		return (ISC_R_SUCCESS);
 	}

From a98f993da8fc22e94d52df5552fdba357f92a73c Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 23 Aug 2022 11:04:00 +0200
Subject: [PATCH 2/2] Add CHANGES entry for #3500

There is no need for a release because this case was nearly impossible
to trigger (except for when 'sig-signing-type' was set to 0).
---
 CHANGES | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGES b/CHANGES
index 27848a6f95..88e3dc01c2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5948.	[bug]		Fix nsec3.c:dns_nsec3_activex() function, add a missing
+			dns_db_detachnode() call. [GL #3500]
+
 5947.	[func]		Change dnssec-policy to allow graceful transition from
 			an NSEC only zone to NSEC3. [GL #3486]