From: Peter van Dijk <peter.van.dijk@netherlabs.nl>
Date: Fri, 24 May 2013 14:11:23 +0000 (+0200)
Subject: send extra NSEC3 because old BIND9 needs it, closes #814
X-Git-Tag: auth-3.3-rc1~8
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a1d6b0c22ccb5b200bc24de2646b8235aad3786c;p=pdns

send extra NSEC3 because old BIND9 needs it, closes #814
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index ba5165768..549cac397 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -601,7 +601,9 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
   }
   
   // add matching NSEC3 RR
-  if (mode != 3) {
+  // we used to skip this one for mode 3, but old BIND needs it
+  // see https://github.com/PowerDNS/pdns/issues/814
+  // if (mode != 3) {
     unhashed=(mode == 0 || mode == 5) ? target : closest;
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
@@ -610,7 +612,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after);
     DLOG(L<<"Done calling for matching, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
     emitNSEC3(ns3rc, sd, unhashed, before, after, target, r, mode);
-  }
+  // }
 
   // add covering NSEC3 RR
   if (mode != 0 && mode != 5) {
diff --git a/regression-tests/any-wildcard-dnssec/expected_result.narrow b/regression-tests/any-wildcard-dnssec/expected_result.narrow
index dc937bb7c..d32de2872 100644
--- a/regression-tests/any-wildcard-dnssec/expected_result.narrow
+++ b/regression-tests/any-wildcard-dnssec/expected_result.narrow
@@ -1,5 +1,7 @@
 0	www.something.wtest.com.	IN	A	3600	4.3.2.1
 0	www.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 7Q60LLVA2BT9UCUBVN553Q9S2PF8HO3A
 1	7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
diff --git a/regression-tests/any-wildcard-dnssec/expected_result.nsec3 b/regression-tests/any-wildcard-dnssec/expected_result.nsec3
index 5d117598e..9cec8cc17 100644
--- a/regression-tests/any-wildcard-dnssec/expected_result.nsec3
+++ b/regression-tests/any-wildcard-dnssec/expected_result.nsec3
@@ -1,5 +1,7 @@
 0	www.something.wtest.com.	IN	A	3600	4.3.2.1
 0	www.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	7k2dfhl64f0ndftst8u5rr5euminddvb.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 95QOQ246KN3VM7HL8KVG8O45JIHMNLNG A RRSIG
 1	7k2dfhl64f0ndftst8u5rr5euminddvb.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
diff --git a/regression-tests/cname-wildcard-chain/expected_result.narrow b/regression-tests/cname-wildcard-chain/expected_result.narrow
index 2b1a993a1..746bf5923 100644
--- a/regression-tests/cname-wildcard-chain/expected_result.narrow
+++ b/regression-tests/cname-wildcard-chain/expected_result.narrow
@@ -12,10 +12,20 @@
 0	x.y.z.w5.example.com.	IN	RRSIG	120	A 8 3 120 [expiry] [inception] [keytag] example.com. ...
 1	6jmrie0v0hnp2flflt36lur7c08n9h45.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 6JMRIE0V0HNP2FLFLT36LUR7C08N9H47
 1	6jmrie0v0hnp2flflt36lur7c08n9h45.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	936eebq7jr1uc4bn1maa69a3aupeitfc.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 936EEBQ7JR1UC4BN1MAA69A3AUPEITFD
+1	936eebq7jr1uc4bn1maa69a3aupeitfc.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	a376dj0hnucs849r3dp2evrvbg967oeu.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd A376DJ0HNUCS849R3DP2EVRVBG967OEV
+1	a376dj0hnucs849r3dp2evrvbg967oeu.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	akad2jtk186u143vhl92en81u06ljna5.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd AKAD2JTK186U143VHL92EN81U06LJNA6
+1	akad2jtk186u143vhl92en81u06ljna5.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	atcf56s7ucntm82nht67p3g2nqteplou.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd ATCF56S7UCNTM82NHT67P3G2NQTEPLP0
 1	atcf56s7ucntm82nht67p3g2nqteplou.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	b3mj2rag3tfrk0cbk5uvlm9hnt6k6tmj.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd B3MJ2RAG3TFRK0CBK5UVLM9HNT6K6TMK
+1	b3mj2rag3tfrk0cbk5uvlm9hnt6k6tmj.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	b6drqdikagd74fa5eme4sdiek1s06343.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd B6DRQDIKAGD74FA5EME4SDIEK1S06345
 1	b6drqdikagd74fa5eme4sdiek1s06343.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	bi61d8htvrnfktnig400n722d2v3lq1i.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd BI61D8HTVRNFKTNIG400N722D2V3LQ1J
+1	bi61d8htvrnfktnig400n722d2v3lq1i.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd LR0G3VNJ9R0NVTLSJNF8EQA68SQJ06QI
 1	lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	vsfa79vv78gd61567bkcai646ta0p276.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VSFA79VV78GD61567BKCAI646TA0P278
diff --git a/regression-tests/cname-wildcard-chain/expected_result.nsec3 b/regression-tests/cname-wildcard-chain/expected_result.nsec3
index 6d89b279f..4f4b838ba 100644
--- a/regression-tests/cname-wildcard-chain/expected_result.nsec3
+++ b/regression-tests/cname-wildcard-chain/expected_result.nsec3
@@ -12,10 +12,20 @@
 0	x.y.z.w5.example.com.	IN	RRSIG	120	A 8 3 120 [expiry] [inception] [keytag] example.com. ...
 1	6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 6JNMPRJN08RFG8QRUMBN91V2UURTV527 A RRSIG
 1	6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	936eebq7jr1uc4bn1maa69a3aupeitfc.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 938CRGVGJ6PEHDHT49EJCEIIRMH75IJ8
+1	936eebq7jr1uc4bn1maa69a3aupeitfc.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	a376dj0hnucs849r3dp2evrvbg967oeu.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd A37U32P0GF09BE4EHU7VTEESS1GU45UB
+1	a376dj0hnucs849r3dp2evrvbg967oeu.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	akad2jtk186u143vhl92en81u06ljna5.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd AKATF5BN9NMCT00E5PLMMOJM196CHN71
+1	akad2jtk186u143vhl92en81u06ljna5.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd ATEJUO2QMEO1FORSEB6KH9B0DMVFRK08 A RRSIG
 1	atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	b3mj2rag3tfrk0cbk5uvlm9hnt6k6tmj.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd B3ONOQ30J349UAJOB6H2FM1FIT3TOJKR
+1	b3mj2rag3tfrk0cbk5uvlm9hnt6k6tmj.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd B6J68ESSIMG1HC5MGJ3B3OQUKL9PKEQB A RRSIG
 1	b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	bi61d8htvrnfktnig400n722d2v3lq1i.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd BI7NGLVDS01SK3172JRF6UPDINT4OEDL
+1	bi61d8htvrnfktnig400n722d2v3lq1i.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	lqu3s8oae1ipc1iobnslma8igo1335a4.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd LR1LEP75CII4P0CLER3MLLQBO1TGKHDO A RRSIG
 1	lqu3s8oae1ipc1iobnslma8igo1335a4.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	vscvfu442fdlbq07jpd7bdocd3ig7fo8.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VSGNH606MUV7BFQFN3TRH1D5FKP1IPIV A RRSIG
diff --git a/regression-tests/ent-wildcard-below-ent/expected_result.narrow b/regression-tests/ent-wildcard-below-ent/expected_result.narrow
index d5143be03..90a1d81b3 100644
--- a/regression-tests/ent-wildcard-below-ent/expected_result.narrow
+++ b/regression-tests/ent-wildcard-below-ent/expected_result.narrow
@@ -2,6 +2,8 @@
 0	something.a.b.c.test.com.	IN	RRSIG	3600	A 8 5 3600 [expiry] [inception] [keytag] test.com. ...
 1	qjeirdhb04ir4vbs5pbbhbue69dlq9nr.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd QJEIRDHB04IR4VBS5PBBHBUE69DLQ9NT
 1	qjeirdhb04ir4vbs5pbbhbue69dlq9nr.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1	vlvujatanof6feajoesti9kq4s0crst3.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd VLVUJATANOF6FEAJOESTI9KQ4S0CRST4
+1	vlvujatanof6feajoesti9kq4s0crst3.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='something.a.b.c.test.com.', qtype=A
diff --git a/regression-tests/ent-wildcard-below-ent/expected_result.nsec3 b/regression-tests/ent-wildcard-below-ent/expected_result.nsec3
index 84c6ef54e..62c0665c3 100644
--- a/regression-tests/ent-wildcard-below-ent/expected_result.nsec3
+++ b/regression-tests/ent-wildcard-below-ent/expected_result.nsec3
@@ -2,6 +2,8 @@
 0	something.a.b.c.test.com.	IN	RRSIG	3600	A 8 5 3600 [expiry] [inception] [keytag] test.com. ...
 1	qd81ag9inqts1ocs7api0pji94k27btr.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd S6G5SHC1JVOVL5FL9E943ADLONQLN7G4 CNAME RRSIG
 1	qd81ag9inqts1ocs7api0pji94k27btr.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1	vlvujatanof6feajoesti9kq4s0crst3.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd 0BH8DI769I8VVTKDDS8EFJDA19ABIGO5
+1	vlvujatanof6feajoesti9kq4s0crst3.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='something.a.b.c.test.com.', qtype=A
diff --git a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow
index 7283555c9..3933943f7 100644
--- a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow
+++ b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow
@@ -1,5 +1,7 @@
 0	www.a.b.c.d.e.something.wtest.com.	IN	A	3600	4.3.2.1
 0	www.a.b.c.d.e.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd PQGJJRJ5SI55UC1208GT1HP1K217FHR0
 1	pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
diff --git a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3 b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
index 3a4e9a1dc..75988a08d 100644
--- a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
+++ b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
@@ -1,5 +1,7 @@
 0	www.a.b.c.d.e.something.wtest.com.	IN	A	3600	4.3.2.1
 0	www.a.b.c.d.e.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
 1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
diff --git a/regression-tests/five-levels-wildcard/expected_result.narrow b/regression-tests/five-levels-wildcard/expected_result.narrow
index 2736694ec..9ebb71d06 100644
--- a/regression-tests/five-levels-wildcard/expected_result.narrow
+++ b/regression-tests/five-levels-wildcard/expected_result.narrow
@@ -1,5 +1,7 @@
 0	www.a.b.c.d.e.wtest.com.	IN	A	3600	6.7.8.9
 0	www.a.b.c.d.e.wtest.com.	IN	RRSIG	3600	A 8 7 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	bagsltiumgoavhe3ig8960l8j2il0mh8.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd BAGSLTIUMGOAVHE3IG8960L8J2IL0MH9 TXT RRSIG
+1	bagsltiumgoavhe3ig8960l8j2il0mh8.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	pet5iqbgccga60p2n38nmuanrk50papg.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd PET5IQBGCCGA60P2N38NMUANRK50PAPI
 1	pet5iqbgccga60p2n38nmuanrk50papg.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
diff --git a/regression-tests/five-levels-wildcard/expected_result.nsec3 b/regression-tests/five-levels-wildcard/expected_result.nsec3
index 28c063dcb..cb1231145 100644
--- a/regression-tests/five-levels-wildcard/expected_result.nsec3
+++ b/regression-tests/five-levels-wildcard/expected_result.nsec3
@@ -1,5 +1,7 @@
 0	www.a.b.c.d.e.wtest.com.	IN	A	3600	6.7.8.9
 0	www.a.b.c.d.e.wtest.com.	IN	RRSIG	3600	A 8 7 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	bagsltiumgoavhe3ig8960l8j2il0mh8.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd CV382M4JQHLE9U45MDQFH64VP0JBFPN5 TXT RRSIG
+1	bagsltiumgoavhe3ig8960l8j2il0mh8.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
 1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768