From 718e597def1daaae7edf9b151f6b24e0acc5c87a Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 28 Oct 2020 11:58:38 +1100
Subject: [PATCH] Handle DNS_R_NCACHENXRRSET in
 fetch_callback_{dnskey,validator}()

DNS_R_NCACHENXRRSET can be return when zones are in transition state
from being unsigned to signed and signed to unsigned.  The validation
should be resumed and should result in a insecure answer.
---
 lib/dns/validator.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index c6a96ff9df..27adb5a31f 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -410,13 +410,20 @@ fetch_callback_dnskey(isc_task_t *task, isc_event_t *event) {
 	val->fetch = NULL;
 	if (CANCELED(val)) {
 		validator_done(val, ISC_R_CANCELED);
-	} else if (eresult == ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3), "keyset with trust %s",
+	} else if (eresult == ISC_R_SUCCESS || eresult == DNS_R_NCACHENXRRSET) {
+		/*
+		 * We have an answer to our DNSKEY query.  Either the DNSKEY
+		 * RRset or a NODATA response.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3), "%s with trust %s",
+			      eresult == ISC_R_SUCCESS ? "keyset"
+						       : "NCACHENXRRSET",
 			      dns_trust_totext(rdataset->trust));
 		/*
-		 * Only extract the dst key if the keyset is secure.
+		 * Only extract the dst key if the keyset exists and is secure.
 		 */
-		if (rdataset->trust >= dns_trust_secure) {
+		if (eresult == ISC_R_SUCCESS &&
+		    rdataset->trust >= dns_trust_secure) {
 			result = select_signing_key(val, rdataset);
 			if (result == ISC_R_SUCCESS) {
 				val->keyset = &val->frdataset;