[1177] Empty nonterminal asterisk

src/lib/datasrc/database.cc

@@ -536,11 +536,30 @@ DatabaseClient::Finder::find(const isc::dns::Name& name,
                     } else if (hasSubdomains(wildcard)) {
                         // Empty non-terminal asterisk
                         records_found = true;
-                        get_cover = dnssec_data;
                         LOG_DEBUG(logger, DBG_TRACE_DETAILED,
                                   DATASRC_DATABASE_WILDCARD_EMPTY).
                             arg(accessor_->getDBName()).arg(wildcard).
                             arg(name);
+                        if (dnssec_data) {
+                            // Which one should contain the NSEC record?
+                            const Name
+                                coverName(findPreviousName(Name(wildcard)));
+                            // Get the record and copy it out
+                            found = getRRsets(coverName.toText(), nsec_types,
+                                              true);
+                            const FoundIterator
+                                nci(found.second.find(RRType::NSEC()));
+                            if (nci != found.second.end()) {
+                                result_status = WILDCARD_NXRRSET;
+                                result_rrset = nci->second;
+                            } else {
+                                // The previous doesn't contain NSEC, bug?
+                                isc_throw(DataSourceError, "No NSEC in " +
+                                          coverName.toText() + ", but it was "
+                                          "returned as previous - "
+                                          "accessor error?");
+                            }
+                        }
                         break;
                     }
                 }

src/lib/datasrc/tests/database_unittest.cc

@@ -172,6 +172,7 @@ const char* const TEST_RECORDS[][5] = {
     {"*.delegatedwild.example.org.", "A", "3600", "", "192.0.2.5"},
     {"wild.*.foo.example.org.", "A", "3600", "", "192.0.2.5"},
     {"wild.*.foo.*.bar.example.org.", "A", "3600", "", "192.0.2.5"},
+    {"bao.example.org.", "NSEC", "3600", "", "wild.*.foo.*.bar.example.org. NSEC"},
     {"*.cnamewild.example.org.", "CNAME", "3600", "", "www.example.org."},
     {"*.nswild.example.org.", "NS", "3600", "", "ns.example.com."},
     // For finding previous, this one is the last one in the zone
@@ -568,6 +569,8 @@ public:
                 return ("badnsec1.example.org.");
             } else if (rname == "org.example.brokenname.") {
                 return ("brokenname...example.org.");
+            } else if (rname == "org.example.bar.*.") {
+                return ("bao.example.org.");
             } else if (rname == "org.example.notimplnsec." ||
                        rname == "org.example.wild.here.") {
                 isc_throw(isc::NotImplemented, "Not implemented in this test");
@@ -1590,6 +1593,23 @@ TYPED_TEST(DatabaseClientTest, wildcard) {
         // DNSSEC logic handle it?
     }
 
+    const char* negative_dnssec_names[] = {
+        "a.bar.example.org.",
+        "foo.baz.bar.example.org.",
+        "a.foo.bar.example.org.",
+        NULL
+    };
+
+    this->expected_rdatas_.clear();
+    this->expected_rdatas_.push_back("wild.*.foo.*.bar.example.org. NSEC");
+    this->expected_sig_rdatas_.clear();
+    for (const char** name(negative_dnssec_names); *name != NULL; ++ name) {
+        doFindTest(*finder, isc::dns::Name(*name), this->qtype_,
+                   RRType::NSEC(), this->rrttl_, ZoneFinder::WILDCARD_NXRRSET,
+                   this->expected_rdatas_, this->expected_sig_rdatas_,
+                   Name("bao.example.org."), ZoneFinder::FIND_DNSSEC);
+    }
+
     // Some strange things in the wild node
     this->expected_rdatas_.clear();
     this->expected_rdatas_.push_back("www.example.org.");