From 4bdd5a9953294f13bb964dde137b02b798ea1a54 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Sat, 6 Nov 2021 09:30:48 +1100
Subject: [PATCH] Ignore NSEC records without RRSIG and NSEC present

dns_nsec_noexistnodata now checks that RRSIG and NSEC are
present in the type map.  Both types should be present in
a correctly constructed NSEC record.  This check is in
addition to similar checks in resolver.c and validator.c.
---
 lib/dns/nsec.c | 10 ++++++++++
 lib/ns/query.c |  8 ++++++++
 2 files changed, 18 insertions(+)

diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
index 95af49c3a2..d7aa394f92 100644
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -328,6 +328,16 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
 	}
 	dns_rdataset_current(nsecset, &rdata);
 
+#ifdef notyet
+	if (!dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig) ||
+	    !dns_nsec_typepresent(&rdata, dns_rdatatype_nsec))
+	{
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			 "NSEC missing RRSIG and/or NSEC from type map");
+		return (ISC_R_IGNORE);
+	}
+#endif
+
 	(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
 	relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
 
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 71a65d4894..ce88b2df51 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -10069,6 +10069,14 @@ query_coveringnsec(query_ctx_t *qctx) {
 		goto cleanup;
 	}
 
+	/*
+	 * If NSEC or RRSIG are missing from the type map
+	 * reject the NSEC RRset.
+	 */
+	if (!dns_nsec_requiredtypespresent(qctx->rdataset)) {
+		goto cleanup;
+	}
+
 	/*
 	 * Check that we have the correct NOQNAME NSEC record.
 	 */