Skip to content

iterate: fix NSEC3 records missing from answer in an edge case

Vladimír Čunát requested to merge nsec3-iters-wild into master-5

When positive wildcard expansion happens, NSEC(3) records are needed to prove that the expansion was allowed. If the NSEC3 had too many iterations, we downgrade the answer to insecure status, but unintentionally we also dropped the NSEC3 record from the answer.

That was breaking DNSSEC validation of that answer, e.g. when forwarding to Knot Resolver. The validator needs the NSEC3 - either to validate the expansion or to determine that it's too expensive.

Fixes #910 (closed)

Merge request reports