From 043a4427571164ae70aacc20ba7ad85a1d51b13e Mon Sep 17 00:00:00 2001
From: Yasar Alev <semihalev@gmail.com>
Date: Tue, 13 Nov 2018 23:30:58 +0000
Subject: [PATCH] nsec3 cover problems (#804)

* nsec3 cover fix

* nsec3 cover fix test

* nsec3 covered empty intervals

* nsec3 another condition

* nsec3 empty interval wildcard test

* nsec3 empty interval comment
---
 nsecx.go      |  6 ++++--
 nsecx_test.go | 12 ++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/nsecx.go b/nsecx.go
index 9b908c44..7b4c55e2 100644
--- a/nsecx.go
+++ b/nsecx.go
@@ -63,8 +63,10 @@ func (rr *NSEC3) Cover(name string) bool {
 	}
 
 	nextHash := rr.NextDomain
-	if ownerHash == nextHash { // empty interval
-		return false
+
+	// if empty interval found, try cover wildcard hashes so nameHash shouldn't match with ownerHash
+	if ownerHash == nextHash && nameHash != ownerHash { // empty interval
+		return true
 	}
 	if ownerHash > nextHash { // end of zone
 		if nameHash > ownerHash { // covered since there is nothing after ownerHash
diff --git a/nsecx_test.go b/nsecx_test.go
index 74ebda3f..84329c9e 100644
--- a/nsecx_test.go
+++ b/nsecx_test.go
@@ -112,6 +112,18 @@ func TestNsec3(t *testing.T) {
 			name:   "asd.com.",
 			covers: false,
 		},
+		{ // empty interval wildcard
+			rr: &NSEC3{
+				Hdr:        RR_Header{Name: "2n1tb3vairuobl6rkdvii42n9tfmialp.com."},
+				Hash:       1,
+				Flags:      1,
+				Iterations: 5,
+				Salt:       "F10E9F7EA83FC8F3",
+				NextDomain: "2N1TB3VAIRUOBL6RKDVII42N9TFMIALP",
+			},
+			name:   "*.asd.com.",
+			covers: true,
+		},
 		{ // name hash is before owner hash, not covered
 			rr: &NSEC3{
 				Hdr:        RR_Header{Name: "3V62ULR0NRE83V0RJA2VJGTLIF9V6RAB.com."},