Wrong NSEC3 chosen for NO QNAME proof

When we optimised the closest encloser NSEC3 discovery the maxlabels variable was used in the binary search. The updated value was later used to add the NO QNAME NSEC3 but that block of code needed the original value. This resulted in the wrong NSEC3 sometimes being chosen to perform this role.
2025-08-31 06:25:31 +00:00 · 2025-04-22 18:39:59 +10:00
parent 5be38ee615
commit 9bb93520f1
1 changed files with 3 additions and 2 deletions
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -11015,6 +11015,7 @@ again:
 		 */
 		unsigned int maxlabels = dns_name_countlabels(name);
 		unsigned int minlabels = dns_name_countlabels(fname);
+		unsigned int namelabels = maxlabels;
 		bool search = result == DNS_R_NXDOMAIN;
 		dns_name_copy(name, cname);
 		while (search) {
@@ -11072,7 +11073,7 @@ again:
 		 * Add no qname proof.
 		 */
 		labels = dns_name_countlabels(cname) + 1;
-		if (labels > maxlabels) {
+		if (labels > namelabels) {
 			char namebuf[DNS_NAME_FORMATSIZE];
 			dns_name_format(cname, namebuf, sizeof(namebuf));
 			ns_client_log(qctx->client, DNS_LOGCATEGORY_DNSSEC,
@@ -11080,7 +11081,7 @@ again:
 				      "closest-encloser name too long: %s",
 				      namebuf);
 			dns_name_copy(name, wname);
-		} else if (labels == maxlabels) {
+		} else if (labels == namelabels) {
 			dns_name_copy(name, wname);
 		} else {
 			dns_name_split(name, labels, NULL, wname);