From 6eb8591f005f3e270d9ffb23769753952d0ec286 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 5 Jan 2006 03:14:33 +0000
Subject: [PATCH] 1960.   [bug]           Update code should set NSEC ttls from
 SOA MINIMUM.                         [RT #15465]

---
 CHANGES            |  3 +++
 bin/named/update.c | 31 +++++++++++++++++++++++++------
 2 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index 202d47507b..563958e06d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
+			[RT #15465]
+
 1959.	[func]		Control the zeroing of the negative response TTL to
 			a soa query.  Defaults "zero-no-soa-ttl yes;" and
 			"zero-no-soa-ttl-cache no;". [RT #15460]
diff --git a/bin/named/update.c b/bin/named/update.c
index 716b199060..3b82739637 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.125 2005/10/07 04:03:24 marka Exp $ */
+/* $Id: update.c,v 1.126 2006/01/05 03:14:33 marka Exp $ */
 
 #include <config.h>
 
@@ -1519,7 +1519,8 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
  */
 static isc_result_t
 add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
-	dns_dbversion_t *ver, dns_name_t *name, dns_diff_t *diff)
+	 dns_dbversion_t *ver, dns_name_t *name, dns_ttl_t nsecttl,
+	 dns_diff_t *diff)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -1554,8 +1555,7 @@ add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	 * Add the new NSEC and record the change.
 	 */
 	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
-				   3600,	/* XXXRTH */
-				   &rdata, &tuple));
+				   nsecttl, &rdata, &tuple));
 	CHECK(do_one_tuple(&tuple, db, ver, diff));
 	INSIST(tuple == NULL);
 
@@ -1680,6 +1680,11 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	unsigned int nkeys = 0;
 	unsigned int i;
 	isc_stdtime_t now, inception, expire;
+	dns_ttl_t nsecttl;
+	dns_rdata_soa_t soa;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
 
 	dns_diff_init(client->mctx, &diffnames);
 	dns_diff_init(client->mctx, &affected);
@@ -1700,6 +1705,20 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	inception = now - 3600; /* Allow for some clock skew. */
 	expire = now + sigvalidityinterval;
 
+	/*
+	 * Get the NSEC's TTL from the SOA MINIMUM field.
+	 */
+	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa, 0,
+                                  (isc_stdtime_t) 0, &rdataset, NULL));
+	CHECK(dns_rdataset_first(&rdataset));
+	dns_rdataset_current(&rdataset, &rdata);
+	CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
+	nsecttl = soa.minimum;
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+
 	/*
 	 * Find all RRsets directly affected by the update, and
 	 * update their RRSIGs.  Also build a list of names affected
@@ -1903,8 +1922,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			 * there is other data, and if there is other data,
 			 * there are other RRSIGs.
 			 */
-			CHECK(add_nsec(client, zone, db, newver,
-				      &t->name, &nsec_diff));
+			CHECK(add_nsec(client, zone, db, newver, &t->name,
+				       nsecttl, &nsec_diff));
 		}
 	}