[1584review] added a test for a run time collision case for wildcard + NSEC3.

main code was simplified; we let Message::addRRset() catch the error and throw.

src/bin/auth/query.cc

@@ -195,10 +195,9 @@ Query::addWildcardProof(ZoneFinder& finder,
         // met the zone is broken anyway).
         const ZoneFinder::FindNSEC3Result NSEC3Result(
             finder.findNSEC3(qname_, true));
-        if (NULL == NSEC3Result.next_proof) {
-            isc_throw(BadNSEC3, "Unexpected NSEC3 "
-                      "result for wildcard proof");
-        }
+        // Note that at this point next_proof must not be NULL unless it's
+        // a run time collision (or zone/findNSEC3() is broken).  The
+        // unexpected case will be caught in addRRset() and result in SERVFAIL.
         response_.addRRset(Message::SECTION_AUTHORITY,
                            boost::const_pointer_cast<AbstractRRset>(
                                NSEC3Result.next_proof), dnssec_);

src/bin/auth/tests/query_unittest.cc

@@ -1415,6 +1415,20 @@ TEST_F(QueryTest, CNAMEwildNSEC3) {
                   mock_finder->getOrigin());
 }
 
+TEST_F(QueryTest, badWildcardNSEC3) {
+    // Similar to wildcardNSEC3, but emulating run time collision by
+    // returning NULL in the next closer proof for the closest encloser
+    // proof.
+    mock_finder->setNSEC3Flag(true);
+    ZoneFinder::FindNSEC3Result nsec3(true, 0, textToRRset(nsec3_apex_txt),
+                                      ConstRRsetPtr());
+    mock_finder->setNSEC3Result(&nsec3);
+
+    EXPECT_THROW(Query(memory_client, Name("www.wild.example.com"),
+                       RRType::A(), response, true).process(),
+                 isc::InvalidParameter);
+}
+
 TEST_F(QueryTest, badWildcardProof1) {
     // Unexpected case in wildcard proof: ZoneFinder::find() returns SUCCESS
     // when NXDOMAIN is expected.