From 1171215fc9b51dc4fd8166617c7c925e7d548f7a Mon Sep 17 00:00:00 2001
From: Miek Gieben <miek@miek.nl>
Date: Sun, 22 Jan 2012 15:40:59 +0100
Subject: [PATCH] Handle NSEC3 records that point to the apex

---
 examples/q/q.go |  4 +++-
 nsec3.go        | 14 ++++++++++++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/examples/q/q.go b/examples/q/q.go
index adde4162..473e8655 100644
--- a/examples/q/q.go
+++ b/examples/q/q.go
@@ -204,7 +204,9 @@ Check:
                 fmt.Printf(";+ Correct denial of existence (NSEC3/NODATA)\n")
         default:
                 // w == 0
-	        fmt.Printf(";- Incorrect denial of existence (NSEC3): %s\n",err.Error())
+                if err != nil {
+	                fmt.Printf(";- Incorrect denial of existence (NSEC3): %s\n",err.Error())
+                }
         }
 }
 
diff --git a/nsec3.go b/nsec3.go
index f2d68f43..f44db00a 100644
--- a/nsec3.go
+++ b/nsec3.go
@@ -73,8 +73,18 @@ func (nsec3 *RR_NSEC3) Match(domain string) bool {
 func (nsec3 *RR_NSEC3) Cover(domain string) bool {
 	hashdom := strings.ToUpper(HashName(domain, nsec3.Hash, nsec3.Iterations, nsec3.Salt))
 	nextdom := strings.ToUpper(nsec3.NextDomain)
-	owner := strings.ToUpper(SplitLabels(nsec3.Header().Name)[0])
-	return hashdom > owner && hashdom <= nextdom
+	owner := strings.ToUpper(SplitLabels(nsec3.Header().Name)[0])   // The hashed part
+        apex  := strings.ToUpper(HashName(strings.Join(SplitLabels(nsec3.Header().Name)[1:], "."), nsec3.Hash, nsec3.Iterations, nsec3.Salt)) // The name of the zone
+        // if nextdomain equals the apex, it is considered The End. So in that case hashdom is always less then nextdomain
+        if hashdom > owner && nextdom == apex {
+                return true
+        }
+
+	if hashdom > owner && hashdom <= nextdom {
+                return true
+        }
+
+        return false
 }
 
 // NsecVerify verifies an denial of existence response with NSECs