Don't create NSEC3 nodes for unsigned delegations

Instead of creating new nodes for every possible NSEC3 record, only create them if we are actually going to add a new NSEC3 record. (cherry picked from commit 6f7abbfaac)
2026-05-28 04:34:54 -04:00 · 2025-12-09 13:45:40 +01:00 · 2025-12-09 13:45:40 +01:00 · 64017871a8
commit 64017871a8
parent 63262fd0f4
1 changed files with 23 additions and 1 deletions
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@ -589,7 +589,24 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
 	 * Create the node if it doesn't exist and hold
 	 * a reference to it until we have added the NSEC3.
 	 */
-	CHECK(dns_db_findnsec3node(db, hashname, true, &newnode));
+	result = dns_db_findnsec3node(db, hashname, false, &newnode);
+	if (result != ISC_R_SUCCESS) {
+		isc_result_t tresult;
+
+		CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit));
+		tresult = dns_dbiterator_seek3(dbit, hashname);
+		CHECK(dns_dbiterator_pause(dbit));
+
+		if (tresult != ISC_R_SUCCESS) {
+			/* Nothing in the NSEC3 space yet. */
+			if (!unsecure) {
+				goto addnsec3;
+			}
+			goto cleanup;
+		}
+
+		goto find_previous;
+	}

 	/*
 	 * Seek the iterator to the 'newnode'.
@ -637,6 +654,7 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
 		}
 	}

+find_previous:
 	/*
 	 * Find the previous NSEC3 (if any) and update it if required.
 	 */
@ -722,6 +740,10 @@ addnsec3:
 	/*
 	 * Create the NSEC3 RDATA.
 	 */
+	if (newnode == NULL) {
+		CHECK(dns_db_findnsec3node(db, hashname, true, &newnode));
+	}
+
 	CHECK(dns_db_findnode(db, name, false, &node));
 	CHECK(dns_nsec3_buildrdata(db, version, node, hash, flags, iterations,
 				   salt, salt_length, nexthash, next_length,