From 933d03fc83d300c0e8713d2faa0ab9dab61f6400 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 13 Sep 2023 10:59:39 +1000
Subject: [PATCH 1/3] Correctly set the value of covered in dns_ncache_current

Fix the type and rdclass being passed to dns_rdata_tostruct so
that rrsig.covered is correctly set.

(cherry picked from commit 779980710c2ad6696fa8687ae19584ee65372f4e)
---
 lib/dns/ncache.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index 9247ac1565..941574de56 100644
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -754,7 +754,7 @@ dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found,
 		raw += 2;
 		sigregion.base = raw;
 		dns_rdata_reset(&rdata);
-		dns_rdata_fromregion(&rdata, rdataset->rdclass, rdataset->type,
+		dns_rdata_fromregion(&rdata, ncacherdataset->rdclass, type,
 				     &sigregion);
 		(void)dns_rdata_tostruct(&rdata, &rrsig, NULL);
 		rdataset->covers = rrsig.covered;

From 88f696de933f88a1100f40a565efea7394455758 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 15 Sep 2023 14:27:31 +1000
Subject: [PATCH 2/3] Check RRSIG covered type in negative cache entry

The covered type previously displayed as TYPE0 when it should
have reflected the records that was actually covered.

(cherry picked from commit 8ce359652a3e0c873520b319e9ee4d17e048d75c)
---
 bin/tests/system/dnssec/tests.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 72c116fbc7..fe4fc32ed5 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -377,6 +377,14 @@ if [ -x "${DELV}" ] ; then
    status=$((status+ret))
 fi
 
+echo_i "checking RRSIG covered type in negative cache entry ($n)"
+ret=0
+rndc_dumpdb ns4
+grep -F '; example. RRSIG NSEC ...' ns4/named_dump.db.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 echo_i "checking negative validation NXDOMAIN NSEC3 ($n)"
 ret=0
 dig_with_opts +noauth q.nsec3.example. \

From 55baa49118f6c2b18f483b30aea575286884146d Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 13 Sep 2023 11:22:30 +1000
Subject: [PATCH 3/3] Add a CHANGES note for [GL #4314]

(cherry picked from commit 80298ade33cfe63085fad2d4b80840e31ba348d3)
---
 CHANGES | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGES b/CHANGES
index a62a2dc690..05a776a16e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+6250.	[bug]		The wrong covered value was being set by
+			dns_ncache_current for RRSIG records in the returned
+			rdataset structure. This resulted in TYPE0 being
+			reported as the covered value of the RRSIG when dumping
+			the cache contents. [GL #4314]
+
 6244.	[bug]		Adjust log levels on malformed messages to NOTICE when
 			transferring in a zone. [GL #4290]