[1580] simplified the cases with unexpected NULL results of findNSEC3().

adjusted the expected exception for nxdomainWithBadNextNSEC3Proof accordingly.

src/bin/auth/query.cc

@@ -171,23 +171,14 @@ void
 Query::addNSEC3NXDOMAINProof(ZoneFinder& finder) {
     // Firstly get the NSEC3 proves for Closest Encloser Proof
     // See section 7.2.1 of RFC 5155.
+    // Since this is a Name Error case both closest and next proofs should
+    // be available (see addNXRRsetProof).
     const ZoneFinder::FindNSEC3Result fresult1 = finder.findNSEC3(qname_,
                                                                   true);
-    if (!fresult1.closest_proof) {
-        isc_throw(BadNSEC3,  "NSEC3 RR for NXDOMAIN proving that matches the "
-                  "closest encloser is empty.");
-    }
-    // Add the NSEC3 proving that matches the closest (provable) encloser.
     response_.addRRset(Message::SECTION_AUTHORITY,
                        boost::const_pointer_cast<AbstractRRset>(
-                       fresult1.closest_proof),
+                           fresult1.closest_proof),
                        dnssec_);
-    if (!fresult1.next_proof) {
-        isc_throw(BadNSEC3,  "NSEC3 RR for NXDOMAIN proving that covers the "
-                  "next closer to the closest encloser is empty.");
-    }
-    // Add the NSEC3 RR that covers the "next closer" name to the closest
-    // encloser.
     response_.addRRset(Message::SECTION_AUTHORITY,
                        boost::const_pointer_cast<AbstractRRset>(
                        fresult1.next_proof),
@@ -200,10 +191,7 @@ Query::addNSEC3NXDOMAINProof(ZoneFinder& finder) {
                             fresult1.closest_labels)));
     const ZoneFinder::FindNSEC3Result fresult2 =
         finder.findNSEC3(wildname, false);
-    if (!fresult2.closest_proof) {
-            isc_throw(BadNSEC3, "NSEC3 for NXDOMAIN covering the wildcard "
-                      "RR at the closest encloser is empty.");
-    }
+
     // Add the wildcard proof only when it's different from the NSEC3 RR
     // that covers the "next closer" name to the closest encloser.
     if (fresult1.next_proof->getName() != fresult2.closest_proof->getName()) {

src/bin/auth/tests/query_unittest.cc

@@ -2148,18 +2148,8 @@ TEST_F(QueryTest, nxrrsetWithNSEC3_ds_no_exact) {
                   NULL, mock_finder->getOrigin());
 }
 
-TEST_F(QueryTest, nxdomainWithBadNextNSEC3Proof) {
-    mock_finder->setNSEC3Flag(true);
-    ZoneFinder::FindNSEC3Result nsec3(true, 0, textToRRset(nsec3_apex_txt),
-                                      ConstRRsetPtr());
-    mock_finder->setNSEC3Result(&nsec3);
-
-    EXPECT_THROW(Query(memory_client, Name("nxdomain.example.com"),
-                       RRType::TXT(), response, true).process(),
-                 Query::BadNSEC3);
-}
-
 TEST_F(QueryTest, nxdomainWithNSEC3Proof) {
+    // Name Error (NXDOMAIN) case with NSEC3 proof per RFC5155 Section 7.2.2.
     mock_finder->setNSEC3Flag(true);
     Query(memory_client, Name("nxdomain.example.com"), qtype,
               response, true).process();
@@ -2176,6 +2166,21 @@ TEST_F(QueryTest, nxdomainWithNSEC3Proof) {
                   NULL, mock_finder->getOrigin());
 }
 
+TEST_F(QueryTest, nxdomainWithBadNextNSEC3Proof) {
+    // Similar to the previous case, but emulating run time collision by
+    // returning NULL in the next closer proof for the closest encloser
+    // proof.
+    mock_finder->setNSEC3Flag(true);
+    ZoneFinder::FindNSEC3Result nsec3(true, 0, textToRRset(nsec3_apex_txt),
+                                      ConstRRsetPtr());
+    mock_finder->setNSEC3Result(&nsec3);
+
+    // Message::addRRset() will detect it and throw InvalidParameter.
+    EXPECT_THROW(Query(memory_client, Name("nxdomain.example.com"),
+                       RRType::TXT(), response, true).process(),
+                 isc::InvalidParameter);
+}
+
 // The following are tentative tests until we really add tests for the
 // query logic for these cases.  At that point it's probably better to
 // clean them up.