3942. [bug] Wildcard responses from a optout range should be

marked as insecure. [RT #37072]

CHANGES

@@ -1,3 +1,6 @@
+3942.	[bug]		Wildcard responses from a optout range should be
+			marked as insecure. [RT #37072]
+
 3941.	[doc]		Include the BIND version number in the ARM. [RT #37067]
 
 3940.	[func]		"rndc nta" now allows negative trust anchors to be

bin/tests/system/dnssec/tests.sh

@@ -271,7 +271,7 @@ $DIG $DIGOPTS a.wild.optout.example. \
 stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
 stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
 $PERL ../digcomp.pl dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi

lib/dns/nsec3.c

@@ -2071,6 +2071,9 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
 				if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0)
 					(*logit)(arg, ISC_LOG_DEBUG(3),
 						 "NSEC3 indicates optout");
+				else
+					(*logit)(arg, ISC_LOG_DEBUG(3),
+						 "NSEC3 indicates secure range");
 				*optout =
 				    ISC_TF(nsec3.flags & DNS_NSEC3FLAG_OPTOUT);
 			}

lib/dns/validator.c

@@ -2805,7 +2805,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 	if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
 		if (!FOUNDNOQNAME(val))
 			findnsec3proofs(val);
-		if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val)) {
+		if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && !FOUNDOPTOUT(val)) {
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "marking as secure, noqname proof found");
 			marksecure(val->event);