2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure

delegation.
2008-11-17 23:46:42 +00:00
parent cb98b2c207
commit e7ba4d8dc4
2 changed files with 7 additions and 2 deletions
--- a/3
+++ b/3
@@ -1,6 +1,9 @@

 	--- 9.6.0rc1 released ---

+2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
+			delegation.
+
 2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]

 2495.	[bug]		Tighten RRSIG checks. [RT #18795]
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -14,7 +14,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: nsec3.c,v 1.5 2008/09/26 01:24:55 marka Exp $ */
+/* $Id: nsec3.c,v 1.6 2008/11/17 23:46:42 marka Exp $ */

 #include <config.h>

@@ -152,7 +152,9 @@ dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 			if (rdataset.type > max_type)
 				max_type = rdataset.type;
 			set_bit(bm, rdataset.type, 1);
-			found = ISC_TRUE;
+			/* Don't set RRSIG for insecure delegation. */
+			if (rdataset.type != dns_rdatatype_ns)
+				found = ISC_TRUE;
 		}
 		dns_rdataset_disassociate(&rdataset);
 	}