the presence of a DNAME record proves that the name does not exist in the zone but as we don't want to use that for NXDMOMAIN return DNS_R_DNAME from dns_nsec_noexistnodata

2025-08-22 18:19:42 +00:00 · 2018-07-06 15:07:59 +10:00 · 2018-07-06 15:07:59 +10:00 · 8ef23f9fb0
commit 8ef23f9fb0
parent 7f60bb39df
2 changed files with 13 additions and 2 deletions
--- a/lib/dns/include/dns/nsec.h
+++ b/lib/dns/include/dns/nsec.h
@ -101,6 +101,9 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
 * or we can determine whether there is data or not at the name.
 * If the name does not exist return the wildcard name.
 *
+ * Return DNS_R_DNAME when the NSEC indicates that name is covered by
+ * a DNAME.  'wild' is not set in this case.
+ *
 * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
 */

--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@ -374,8 +374,7 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
 	}

 	if (relation == dns_namereln_subdomain &&
-	    (dns_nsec_typepresent(&rdata, dns_rdatatype_dname) ||
-	     dns_nsec_typepresent(&rdata, dns_rdatatype_ns)) &&
+	    dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
 	    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
 	{
 		/*
@ -388,6 +387,15 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
 		return (ISC_R_IGNORE);
 	}

+	if (relation == dns_namereln_subdomain &&
+	    dns_nsec_typepresent(&rdata, dns_rdatatype_dname))
+	{
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			 "nsec proves covered by dname");
+		*exists = ISC_FALSE;
+		return (DNS_R_DNAME);
+	}
+
 	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);