From cc4e001a84d4e17996ddd7d579bad6da9c6dde28 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Mon, 28 Mar 2016 19:37:39 +0200
Subject: [PATCH] pdnsutil: don't set odername for empty non-terminals only
 derived from glue

---
 pdns/pdnsutil.cc | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index ffb2c34fa..1b25b8a7c 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -160,10 +160,12 @@ bool rectifyZone(DNSSECKeeper& dk, const DNSName& zone)
   set<DNSName> qnames, nsset, dsnames, insnonterm, delnonterm;
   map<DNSName,bool> nonterm;
   bool doent=true;
+  vector<DNSResourceRecord> rrs;
 
   while(sd.db->get(rr)) {
     if (rr.qtype.getCode())
     {
+      rrs.push_back(rr);
       qnames.insert(rr.qname);
       if(rr.qtype.getCode() == QType::NS && rr.qname != zone)
         nsset.insert(rr.qname);
@@ -194,6 +196,31 @@ bool rectifyZone(DNSSECKeeper& dk, const DNSName& zone)
   else
     cerr<<"Adding empty non-terminals for non-DNSSEC zone"<<endl;
 
+  set<DNSName> nsec3set;
+  if (haveNSEC3 && !narrow) {
+    for (auto &rr: rrs) {
+      bool skip=false;
+      DNSName shorter = rr.qname;
+      if (shorter != zone && shorter.chopOff() && shorter != zone) {
+        do {
+          if(nsset.count(shorter)) {
+            skip=true;
+            break;
+          }
+        } while(shorter.chopOff() && shorter != zone);
+      }
+      shorter = rr.qname;
+      if(!skip && (rr.qtype.getCode() != QType::NS || !isOptOut)) {
+
+        do {
+          if(!nsec3set.count(shorter)) {
+            nsec3set.insert(shorter);
+          }
+        } while(shorter != zone && shorter.chopOff());
+      }
+    }
+  }
+
   if(doTransaction)
     sd.db->startTransaction(zone, -1);
 
@@ -214,13 +241,17 @@ bool rectifyZone(DNSSECKeeper& dk, const DNSName& zone)
           break;
         }
       } while(shorter.chopOff());
+    } else {
+      auth=nonterm.find(qname)->second;
     }
 
     if(haveNSEC3) // NSEC3
     {
-      if(!narrow && (realrr || !isOptOut || nonterm.find(qname)->second))
+      if(!narrow && nsec3set.count(qname)) {
         ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, qname))) + zone;
-      else if(!realrr)
+        if(!realrr)
+          auth=true;
+      } else if(!realrr)
         auth=false;
     }
     else if (realrr) // NSEC
-- 
2.40.0