[1581] Implement the returning of NXRRSET NSEC3 proof

src/bin/auth/query.cc

@@ -236,6 +236,17 @@ Query::addNXRRsetProof(ZoneFinder& finder,
         if (db_result.isWildcard()) {
             addWildcardNXRRSETProof(finder, db_result.rrset);
         }
+    } else if (db_result.isNSEC3Signed()) {
+        ZoneFinder::FindNSEC3Result result(finder.findNSEC3(qname_, false));
+        if (result.matched) {
+            response_.addRRset(Message::SECTION_AUTHORITY,
+                               boost::const_pointer_cast<AbstractRRset>(
+                                   result.closest_proof), dnssec_);
+
+        } else {
+            isc_throw(BadNSEC3, "No NSEC3 found for existing domain " <<
+                      qname_.toText());
+        }
     }
 }
 

src/bin/auth/query.h

@@ -270,6 +270,17 @@ public:
         {}
     };
 
+    /// An invalid result is given when a valid NSEC3 is expected
+    ///
+    /// This can only happen when the underlying data source implementation or
+    /// the zone is broken.  By throwing an exception we treat such cases
+    /// as SERVFAIL.
+    struct BadNSEC3 : public BadZone {
+        BadNSEC3(const char* file, size_t line, const char* what) :
+            BadZone(file, line, what)
+        {}
+    };
+
     /// An invalid result is given when a valid DS records (or NXRRSET) is
     /// expected
     ///