diff --git a/src/knot/zone/semantic-check.c b/src/knot/zone/semantic-check.c index e94b62344..e4ea4367f 100644 --- a/src/knot/zone/semantic-check.c +++ b/src/knot/zone/semantic-check.c @@ -481,12 +481,15 @@ static int check_delegation(const zone_node_t *node, semchecks_data_t *data) for (int i = 0; i < ns_rrs->count; ++i) { knot_rdata_t *ns_rr = knot_rdataset_at(ns_rrs, i); const knot_dname_t *ns_dname = knot_ns_name(ns_rr); - if (knot_dname_in_bailiwick(ns_dname, data->zone->apex->owner) < 0) { - continue; + const zone_node_t *glue_node = NULL, *glue_encloser = NULL; + int res = zone_contents_find_dname(data->zone, ns_dname, &glue_node, &glue_encloser, NULL); + if (res == KNOT_EOUTOFZONE) { + continue; // NS is out of bailiwick + } + if (glue_encloser != NULL && glue_encloser != node && + (glue_encloser->flags & (NODE_FLAGS_DELEG | NODE_FLAGS_NONAUTH))) { + continue; // NS is below another delegation } - - const zone_node_t *glue_node = - zone_contents_find_node(data->zone, ns_dname); if (glue_node == NULL) { /* Try wildcard ([1]* + suffix). */ diff --git a/tests/knot/semantic_check_data/glue_in_deleg.valid b/tests/knot/semantic_check_data/glue_in_deleg.valid new file mode 100644 index 000000000..42adf6bea --- /dev/null +++ b/tests/knot/semantic_check_data/glue_in_deleg.valid @@ -0,0 +1,16 @@ +$ORIGIN example.com. +$TTL 3600 + +@ IN SOA dns1.example.com. hostmaster.example.com. ( + 2010111217 ; serial + 6h ; refresh + 1h ; retry + 1w ; expire + 1d ) ; minimum + + NS ns2.d + +d NS ns1.d +ns1.d A 1.2.3.4 + +; glue below another delegation is not mandatory diff --git a/tests/knot/test_semantic_check.in b/tests/knot/test_semantic_check.in index 70785e017..98d25e910 100644 --- a/tests/knot/test_semantic_check.in +++ b/tests/knot/test_semantic_check.in @@ -132,6 +132,7 @@ test_correct "no_error_nsec3_delegation.signed" test_correct "no_error_nsec3_optout.signed" test_correct "glue_wildcard.valid" test_correct "glue_no_foreign.valid" +test_correct "glue_in_deleg.valid" test_correct "cdnskey.cds" test_correct "cdnskey.delete.both" test_correct "dname_apex_nsec3.signed"