From d31740ce282bcf0a27e17dec49a3ff9ddd26e814 Mon Sep 17 00:00:00 2001
From: Scott Mann <smann@isc.org>
Date: Tue, 1 Mar 2011 14:40:39 +0000
Subject: [PATCH] Fixed DNSKEY NODATA responses not cached (RT #22908).

---
 CHANGES                          |  4 ++++
 bin/tests/system/dnssec/tests.sh | 22 +++++++++++++++++++++-
 lib/dns/validator.c              | 10 +++-------
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index eb6404068d..6a337efa38 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3047.	[bug]		DNSKEY NODATA responses not cached fixed in
+			validator.c. Tests added to dnssec system test.
+			[RT #22908]
+
 3046.	[bug]		Use RRSIG original TTL to compute validated RRset
 			and RRSIG TTL. [RT #23332]
 
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index d6269ddae8..7c2b81ebee 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.79 2011/02/28 14:21:35 fdupont Exp $
+# $Id: tests.sh,v 1.80 2011/03/01 14:40:39 smann Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -1204,5 +1204,25 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking dnskey query with no data still gets put in cache ($n)"
+ret=0
+myDIGOPTS="+noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 @10.53.0.4"
+firstVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '{ print $2 }'`
+sleep 1
+secondVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '{ print $2 }'`
+if [ $firstVal -eq $secondVal ]
+then
+	sleep 1
+	thirdVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '{ print $2 }'`
+	if [ $firstVal -eq $thirdVal ]
+	then
+		echo "I: cannot confirm query answer still in cache"
+		ret=1
+	fi
+fi
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 765fc28189..7c50af35e9 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.199 2011/02/28 14:21:35 fdupont Exp $ */
+/* $Id: validator.c,v 1.200 2011/03/01 14:40:39 smann Exp $ */
 
 #include <config.h>
 
@@ -3040,13 +3040,11 @@ validate_authority(dns_validator_t *val, isc_boolean_t resume) {
 			 * infinite loop.  Avoid that.
 			 */
 			if (val->event->type == dns_rdatatype_dnskey &&
+			    rdataset->type == dns_rdatatype_nsec &&
 			    dns_name_equal(name, val->event->name))
 			{
 				dns_rdata_t nsec = DNS_RDATA_INIT;
 
-				if (rdataset->type != dns_rdatatype_nsec)
-					continue;
-
 				result = dns_rdataset_first(rdataset);
 				if (result != ISC_R_SUCCESS)
 					return (result);
@@ -3120,13 +3118,11 @@ validate_ncache(dns_validator_t *val, isc_boolean_t resume) {
 		 * infinite loop.  Avoid that.
 		 */
 		if (val->event->type == dns_rdatatype_dnskey &&
+		    rdataset->type == dns_rdatatype_nsec &&
 		    dns_name_equal(name, val->event->name))
 		{
 			dns_rdata_t nsec = DNS_RDATA_INIT;
 
-			if (rdataset->type != dns_rdatatype_nsec)
-				continue;
-
 			result = dns_rdataset_first(rdataset);
 			if (result != ISC_R_SUCCESS)
 				return (result);