the presence of a DNAME record proves that the name does not exist in the zone but as we don't want to use that for NXDMOMAIN return DNS_R_DNAME from dns_nsec_noexistnodata

lib/dns/include/dns/nsec.h

@@ -101,6 +101,9 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
  * or we can determine whether there is data or not at the name.
  * If the name does not exist return the wildcard name.
  *
+ * Return DNS_R_DNAME when the NSEC indicates that name is covered by
+ * a DNAME.  'wild' is not set in this case.
+ *
  * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
  */
 

lib/dns/nsec.c

@@ -374,8 +374,7 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
 	}
 
 	if (relation == dns_namereln_subdomain &&
-	    (dns_nsec_typepresent(&rdata, dns_rdatatype_dname) ||
+	    dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
-	     dns_nsec_typepresent(&rdata, dns_rdatatype_ns)) &&
 	    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
 	{
 		/*
@@ -388,6 +387,15 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
 		return (ISC_R_IGNORE);
 	}
 
+	if (relation == dns_namereln_subdomain &&
+	    dns_nsec_typepresent(&rdata, dns_rdatatype_dname))
+	{
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			 "nsec proves covered by dname");
+		*exists = ISC_FALSE;
+		return (DNS_R_DNAME);
+	}
+
 	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);