From d2a8d00228973e59eb3efcc377126d856bf7df18 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 22 Oct 2009 01:55:55 +0000 Subject: [PATCH] 2724. [bug] Updates to a existing node in secure zone using NSEC were failing. [RT #20448] --- CHANGES | 3 +++ bin/named/update.c | 19 +++++++++++-------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index c43a87829f..c62f92496c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2724. [bug] Updates to a existing node in secure zone using NSEC + were failing. [RT #20448] + 2723. [bug] isc_base32_totext(), isc_base32hex_totext(), and isc_base64_totext(), didn't always mark regions of memory as fully consumed after conversion. [RT #20445] diff --git a/bin/named/update.c b/bin/named/update.c index 132481fb4f..45f698b1a4 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.163 2009/10/10 23:47:58 tbox Exp $ */ +/* $Id: update.c,v 1.164 2009/10/22 01:55:55 marka Exp $ */ #include @@ -2333,15 +2333,18 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, dns_rdatatype_any, 0, NULL, diff)); } else { /* - * This name is not obscured. It should have a NSEC - * unless it is the at the origin, in which case it - * should already exist. + * This name is not obscured. It needs to have a + * NSEC unless it is the at the origin, in which + * case it should already exist if there is a complete + * NSEC chain and if there isn't a complete NSEC chain + * we don't want to add one as that would signal that + * there is a complete NSEC chain. */ if (!dns_name_equal(name, dns_db_origin(db))) { - CHECK(dns_private_chains(db, newver, - privatetype, &flag, - NULL)); - if (flag) + CHECK(rrset_exists(db, newver, name, + dns_rdatatype_nsec, 0, + &flag)); + if (!flag) CHECK(add_placeholder_nsec(db, newver, name, diff)); }