[1579] suggested change: made findNoNameResult completely DNSSEC-agnostic.

same adjustment as the previous comment was made for tests.
also fixed a small bug in getDNSSECRRset(): I should have reversed the
logic for need_nscheck.

src/lib/datasrc/database.cc

@@ -783,7 +783,7 @@ DatabaseClient::Finder::FindDNSSECContext::getDNSSECRRset(const Name &name,
     try {
         const Name& nsec_name =
             covering ? finder_.findPreviousName(name) : name;
-        const bool need_nscheck = (nsec_name == finder_.getOrigin());
+        const bool need_nscheck = (nsec_name != finder_.getOrigin());
         const FoundRRsets found = finder_.getRRsets(nsec_name.toText(),
                                                     NSEC_TYPES(),
                                                     need_nscheck);
@@ -955,12 +955,8 @@ DatabaseClient::Finder::findNoNameResult(const Name& name, const RRType& type,
     // NSEC records if requested).
     LOG_DEBUG(logger, DBG_TRACE_DETAILED, DATASRC_DATABASE_NO_MATCH).
               arg(accessor_->getDBName()).arg(name).arg(type).arg(getClass());
-    const ConstRRsetPtr nsec = dnssec_ctx.isNSEC() ? findNSECCover(name) :
-        ConstRRsetPtr();
-    if (dnssec_ctx.isNSEC() && !nsec) {
-        isc_throw(DataSourceError, "no NSEC RR covers in the NSEC signed zone");
-    }
-    return (ResultContext(NXDOMAIN, nsec, dnssec_ctx.getResultFlags()));
+    return (ResultContext(NXDOMAIN, dnssec_ctx.getDNSSECRRset(name, true),
+                          dnssec_ctx.getResultFlags()));
 }
 
 bool

src/lib/datasrc/tests/database_unittest.cc

@@ -2444,14 +2444,13 @@ TYPED_TEST(DatabaseClientTest, NXDOMAIN_NSEC) {
     if (!this->is_mock_) {
         return; // We don't make the real DB to throw
     }
-    // If the zone is signed with NSEC, find function should throw an error
-    // when no NSEC RRset for NXDOMAIN case.
-    EXPECT_THROW(doFindTest(*finder, Name("notimplnsec.example.org."),
-                            RRType::TXT(), RRType::NSEC(), this->rrttl_,
-                            ZoneFinder::NXDOMAIN, this->empty_rdatas_,
-                            this->empty_rdatas_, ZoneFinder::RESULT_DEFAULT,
-                            Name::ROOT_NAME(), ZoneFinder::FIND_DNSSEC),
-                 DataSourceError);
+    // In this case the accessor doesn't support findPreviousName(), but the
+    // zone apex has NSEC, and the zone itself is considered NSEC-signed.
+    doFindTest(*finder, Name("notimplnsec.example.org."),
+               RRType::TXT(), RRType::NSEC(), this->rrttl_,
+               ZoneFinder::NXDOMAIN, this->empty_rdatas_,
+               this->empty_rdatas_, ZoneFinder::RESULT_NSEC_SIGNED,
+               Name::ROOT_NAME(), ZoneFinder::FIND_DNSSEC);
 }
 
 TYPED_TEST(DatabaseClientTest, emptyNonterminalNSEC) {
@@ -2471,8 +2470,7 @@ TYPED_TEST(DatabaseClientTest, emptyNonterminalNSEC) {
     if (!this->is_mock_) {
         return; // We don't make the real DB to throw
     }
-    // In this case the accessor doesn't support findPreviousName(), but the
-    // zone apex has NSEC, and the zone itself is considered NSEC-signed.
+    // See the corresponding case of NXDOMAIN_NSEC.
     doFindTest(*finder, Name("here.wild.example.org."),
                RRType::TXT(), RRType::NSEC(), this->rrttl_,
                ZoneFinder::NXRRSET, this->empty_rdatas_,