[1574b] check parameter of NSEC3PARAM when added after NSEC3

src/lib/datasrc/memory_datasrc.cc

@@ -386,11 +386,9 @@ struct InMemoryZoneFinder::InMemoryZoneFinderImpl {
         // otherwise check parameter consistency.
         if (!zone_data.nsec3_data_) {
             zone_data.nsec3_data_.reset(new ZoneData::NSEC3Data(nsec3_rdata));
-        } else {
-            if (!zone_data.nsec3_data_->hash_->match(nsec3_rdata)) {
-                isc_throw(AddError, "NSEC3 with inconsistent parameters: " <<
-                          rrset->toText());
-            }
+        } else if (!zone_data.nsec3_data_->hash_->match(nsec3_rdata)) {
+            isc_throw(AddError, "NSEC3 with inconsistent parameters: " <<
+                      rrset->toText());
         }
 
         string fst_label = rrset->getName().split(0, 1).toText(true);
@@ -477,17 +475,22 @@ struct InMemoryZoneFinder::InMemoryZoneFinderImpl {
                 node->setFlag(DomainNode::FLAG_CALLBACK);
             }
 
-            // If we've added NSEC3PARAM and the zone isn't yet NSEC3-ready
-            // set it up (note: this part doesn't ensure strong exception
-            // guarantee)
-            if (rrset->getType() == RRType::NSEC3PARAM() &&
-                !zone_data.nsec3_data_) {
-                zone_data.nsec3_data_.reset(
-                    new ZoneData::NSEC3Data(
-                        dynamic_cast<const generic::NSEC3PARAM&>(
-                            rrset->getRdataIterator()->getCurrent())));
+            // If we've added NSEC3PARAM, set up NSEC3 specific data or check
+            // consistency with already set up parameters.
+            if (rrset->getType() == RRType::NSEC3PARAM()) {
+                // We know rrset has exactly one RDATA
+                const generic::NSEC3PARAM& param =
+                    dynamic_cast<const generic::NSEC3PARAM&>(
+                        rrset->getRdataIterator()->getCurrent());
+
+                if (!zone_data.nsec3_data_) {
+                    zone_data.nsec3_data_.reset(
+                        new ZoneData::NSEC3Data(param));
+                } else if (!zone_data.nsec3_data_->hash_->match(param)) {
+                    isc_throw(AddError, "NSEC3PARAM with inconsistent "
+                              "parameters: " << rrset->toText());
+                }
             }
-
             return (result::SUCCESS);
         } else {
             // The RRSet of given type was already there

src/lib/datasrc/tests/memory_datasrc_unittest.cc

@@ -1504,6 +1504,11 @@ TEST_F(InMemoryZoneFinderTest, paramConsistencyWithNSEC3) {
                      textToRRset("a.example.org. 300 IN NSEC3 1 0 1 aabbccdd "
                                  "2T7B4G4VSA5SMI47K61MV5BV1A22BOJR A RRSIG")),
                  InMemoryZoneFinder::AddError);
+
+    // Likewise, NSEC3PARAM with inconsistent parameter will be rejected.
+    EXPECT_THROW(zone_finder_.add(textToRRset("example.org. 300 IN NSEC3PARAM "
+                                              "1 0 1 aabbccdd")),
+                 InMemoryZoneFinder::AddError);
 }
 
 TEST_F(InMemoryZoneFinderTest, multiNSEC3PARAM) {
@@ -1516,7 +1521,7 @@ TEST_F(InMemoryZoneFinderTest, multiNSEC3PARAM) {
 }
 
 // TODO
+// - multiple NSEC3 RDATA
 // - existence of NSEC3PARAM
-// - add NSEC3PARAM second, check consistency
 // - add NSEC3PARAM at non origin (should be ignored)
 }