From e4d64a0c33a4587cc2f4af5d823475c80b828fc1 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 15 Jul 2025 15:14:23 +1000
Subject: [PATCH] Fix find_coveringnsec in qpcache.c

dns_qp_lookup was returning ISC_R_NOTFOUND rather than DNS_R_PARTIALMATCH
when there wasn't a parent with a NSEC record in the cache.  This was
causing find_coveringnsec to fail rather than returing the covering NSEC.

(cherry picked from commit 7de4207cb6dc9c65a4405a1710d15a723a6d2bf1)
---
 lib/dns/qpcache.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c
index 00f8534213..abb1888d17 100644
--- a/lib/dns/qpcache.c
+++ b/lib/dns/qpcache.c
@@ -1517,7 +1517,13 @@ find_coveringnsec(qpc_search_t *search, const dns_name_t *name,
 	 */
 	result = dns_qp_lookup(search->qpdb->nsec, name, NULL, &iter, NULL,
 			       (void **)&node, NULL);
-	if (result != DNS_R_PARTIALMATCH) {
+	/*
+	 * When DNS_R_PARTIALMATCH or ISC_R_NOTFOUND is returned from
+	 * dns_qp_lookup there is potentially a covering NSEC present
+	 * in the cache so we need to search for it.  Otherwise we are
+	 * done here.
+	 */
+	if (result != DNS_R_PARTIALMATCH && result != ISC_R_NOTFOUND) {
 		return ISC_R_NOTFOUND;
 	}