From 554d22d2deb8889bb16434176b5716ab79d15c50 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 3 Nov 2009 01:07:48 +0000
Subject: [PATCH] 2743.   [bug]           RRSIG could be incorrectly sent in
 the NSEC3 record                         for a insecure delegation.

---
 CHANGES         |  3 +++
 lib/dns/nsec3.c | 25 ++++++++++++++++++++-----
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 24836c273a..8da571c7a3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2743.	[bug]		RRSIG could be incorrectly sent in the NSEC3 record
+			for a insecure delegation.
+
 	--- 9.7.0b2 released ---
 
 2742.	[cleanup]	Clarify some DNSSEC-related log messages in
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 81de97f4f4..4c44194bc4 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.c,v 1.10 2009/10/08 23:48:10 tbox Exp $ */
+/* $Id: nsec3.c,v 1.11 2009/11/03 01:07:48 marka Exp $ */
 
 #include <config.h>
 
@@ -88,6 +88,8 @@ dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 	unsigned int i, window;
 	int octet;
 	isc_boolean_t found;
+	isc_boolean_t found_ns;
+	isc_boolean_t need_rrsig;
 
 	unsigned char *nsec_bits, *bm;
 	unsigned int max_type;
@@ -141,7 +143,7 @@ dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	found = ISC_FALSE;
+	found = found_ns = need_rrsig = ISC_FALSE;
 	for (result = dns_rdatasetiter_first(rdsiter);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdatasetiter_next(rdsiter))
@@ -153,13 +155,26 @@ dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 			if (rdataset.type > max_type)
 				max_type = rdataset.type;
 			set_bit(bm, rdataset.type, 1);
-			/* Don't set RRSIG for insecure delegation. */
-			if (rdataset.type != dns_rdatatype_ns)
+			/* 
+			 * Work out if we need to set the RRSIG bit for
+			 * this node.  We set the RRSIG bit if either of
+			 * the following conditions are met:
+			 * 1) We have a SOA or DS then we need to set
+			 *    the RRSIG bit as both always will be signed.
+			 * 2) We set the RRSIG bit if we don't have
+			 *    a NS record but do have other data.
+			 */
+			if (rdataset.type == dns_rdatatype_soa ||
+			    rdataset.type == dns_rdatatype_ds)
+				need_rrsig = ISC_TRUE;
+			else if (rdataset.type == dns_rdatatype_ns)
+				found_ns = ISC_TRUE;
+			else 
 				found = ISC_TRUE;
 		}
 		dns_rdataset_disassociate(&rdataset);
 	}
-	if (found) {
+	if ((found && !found_ns) || need_rrsig) {
 		if (dns_rdatatype_rrsig > max_type)
 			max_type = dns_rdatatype_rrsig;
 		set_bit(bm, dns_rdatatype_rrsig, 1);