From c99d9017ba00099bfa89e1ed53e63a5cb07d28d5 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 29 Apr 2002 23:50:26 +0000
Subject: [PATCH] 1275.   [bug]           When verifying that an NXT proves
 nonexistence, check                         the rcode of the message and only
 do the matching NXT                         check.  That is, for NXDOMAIN
 responses, check that                         the name is in the range
 between the NXT owner and                         next name, and for NOERROR
 NODATA responses, check                         that the type is not present
 in the NXT bitmap.

---
 CHANGES             |  7 +++++++
 lib/dns/validator.c | 22 ++++++++++++++++++++--
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index a11dde4e00..ae2eaa6919 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+1275.	[bug]		When verifying that an NXT proves nonexistence, check
+			the rcode of the message and only do the matching NXT
+			check.  That is, for NXDOMAIN responses, check that
+			the name is in the range between the NXT owner and
+			next name, and for NOERROR NODATA responses, check
+			that the type is not present in the NXT bitmap.
+
 1274.	[func]		preferred-glue option from BIND 8.3.
 
 1273.	[bug]		The dnssec system test failed to remove the correct
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 4806006d6b..78a6705cb4 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.103 2002/02/20 03:34:22 marka Exp $ */
+/* $Id: validator.c,v 1.104 2002/04/29 23:50:24 marka Exp $ */
 
 #include <config.h>
 
@@ -345,8 +345,16 @@ nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
 {
 	int order;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_boolean_t isnxdomain;
 	isc_result_t result;
 
+	INSIST(DNS_MESSAGE_VALID(val->event->message));
+
+	if (val->event->message->rcode == dns_rcode_nxdomain)
+		isnxdomain = ISC_TRUE;
+	else
+		isnxdomain = ISC_FALSE;
+
 	result = dns_rdataset_first(nxtset);
 	if (result != ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
@@ -359,8 +367,13 @@ nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
 	order = dns_name_compare(val->event->name, nxtname);
 	if (order == 0) {
 		/*
-		 * The names are the same, so look for the type present bit.
+		 * The names are the same.  Look for the type present bit.
 		 */
+		if (isnxdomain) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "NXT record seen at nonexistent name");
+			return (ISC_FALSE);
+		}
 		if (val->event->type >= 128) {
 			validator_log(val, ISC_LOG_DEBUG(3), "invalid type %d",
 				      val->event->type);
@@ -379,6 +392,11 @@ nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
 		/*
 		 * The NXT owner name is less than the nonexistent name.
 		 */
+		if (!isnxdomain) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "missing NXT record at name");
+			return (ISC_FALSE);
+		}
 		result = dns_rdata_tostruct(&rdata, &nxt, NULL);
 		if (result != ISC_R_SUCCESS)
 			return (ISC_FALSE);