From 9bb93520f18c470dd817dac7b7bd830b1fbd5f90 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 22 Apr 2025 18:39:59 +1000
Subject: [PATCH] Wrong NSEC3 chosen for NO QNAME proof

When we optimised the closest encloser NSEC3 discovery the maxlabels
variable was used in the binary search. The updated value was later
used to add the NO QNAME NSEC3 but that block of code needed the
original value. This resulted in the wrong NSEC3 sometimes being
chosen to perform this role.
---
 lib/ns/query.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/ns/query.c b/lib/ns/query.c
index dddaed6224..901041e9ec 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -11015,6 +11015,7 @@ again:
 		 */
 		unsigned int maxlabels = dns_name_countlabels(name);
 		unsigned int minlabels = dns_name_countlabels(fname);
+		unsigned int namelabels = maxlabels;
 		bool search = result == DNS_R_NXDOMAIN;
 		dns_name_copy(name, cname);
 		while (search) {
@@ -11072,7 +11073,7 @@ again:
 		 * Add no qname proof.
 		 */
 		labels = dns_name_countlabels(cname) + 1;
-		if (labels > maxlabels) {
+		if (labels > namelabels) {
 			char namebuf[DNS_NAME_FORMATSIZE];
 			dns_name_format(cname, namebuf, sizeof(namebuf));
 			ns_client_log(qctx->client, DNS_LOGCATEGORY_DNSSEC,
@@ -11080,7 +11081,7 @@ again:
 				      "closest-encloser name too long: %s",
 				      namebuf);
 			dns_name_copy(name, wname);
-		} else if (labels == maxlabels) {
+		} else if (labels == namelabels) {
 			dns_name_copy(name, wname);
 		} else {
 			dns_name_split(name, labels, NULL, wname);