rec: The NSEC next name should be different to prove an ENT

While it's not an issue in the current code because we checked
earlier that the NSEC covered the name, it might prevent an issue
if we reuse nsecProvesENT() later.

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index 3ce10cf893b34a89958cbf3fddbe3b29bb020669..3e90a06d6e69c42be51e278749439bb1601bf07a 100644 (file)
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -7248,6 +7248,10 @@ BOOST_AUTO_TEST_CASE(test_nsec_ent_denial) {
      it is an ENT */
   denialState = getDenial(denialMap, DNSName("c.powerdns.com."), QType::AAAA, true, true);
   BOOST_CHECK_EQUAL(denialState, NXQTYPE);
+
+  /* this NSEC is not valid to prove a NXQTYPE for QType::A at a.c.powerdns.com either */
+  denialState = getDenial(denialMap, DNSName("a.c.powerdns.com."), QType::A, true, true);
+  BOOST_CHECK_EQUAL(denialState, NODATA);
 }
 
 BOOST_AUTO_TEST_CASE(test_nsec3_ancestor_nxqtype_denial) {

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 790031d87dabcac38a74d81139358c3e6550146e..3df1c741288693dda47ad98ddace2c5de80e38df 100644 (file)
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -48,7 +48,7 @@ static bool nsecProvesENT(const DNSName& name, const DNSName& begin, const DNSNa
      - begin < name
      - next is a child of name
   */
-  return begin.canonCompare(name) && next.isPartOf(name);
+  return begin.canonCompare(name) && next != name && next.isPartOf(name);
 }
 
 static std::string getHashFromNSEC3(const DNSName& qname, const std::shared_ptr<NSEC3RecordContent> nsec3)