1 files changed, 26 insertions, 2 deletions

diff --git a/drill/securetrace.c b/drill/securetrace.c
index c6e7e588409a..5fc493a7275d 100644
--- a/drill/securetrace.c
+++ b/drill/securetrace.c
@@ -138,7 +138,7 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 	size_t j;
 	size_t k;
 	size_t l;
-	uint8_t labels_count;
+	uint8_t labels_count = 0;
 
 	/* dnssec */
 	ldns_rr_list *key_list;
@@ -156,6 +156,9 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 
 	/* empty non-terminal check */
 	bool ent;
+	ldns_rr  *nsecrr;      /* The nsec that proofs the non-terminal */
+	ldns_rdf *hashed_name; /* The query hashed with nsec3 params */
+	ldns_rdf *label0;      /* The first label of an nsec3 owner name */
 
 	/* glue handling */
 	ldns_rr_list *new_ns_addr;
@@ -220,6 +223,8 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 			ldns_resolver_usevc(local_res));
 	ldns_resolver_set_random(res,
 			ldns_resolver_random(local_res));
+	ldns_resolver_set_source(res,
+			ldns_resolver_source(local_res));
 	ldns_resolver_set_recursive(local_res, true);
 
 	ldns_resolver_set_recursive(res, false);
@@ -380,8 +385,27 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 				/* there might be an empty non-terminal, in which case we need to continue */
 				ent = false;
 				for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) {
-					if (ldns_dname_is_subdomain(ldns_rr_rdf(ldns_rr_list_rr(nsec_rrs, j), 0), labels[i])) {
+					nsecrr = ldns_rr_list_rr(nsec_rrs, j);
+					/* For NSEC when the next name is a subdomain of the question */
+					if (ldns_rr_get_type(nsecrr) == LDNS_RR_TYPE_NSEC &&
+							ldns_dname_is_subdomain(ldns_rr_rdf(nsecrr, 0), labels[i])) {
 						ent = true;
+
+					/* For NSEC3, the hash matches the name and the type bitmap is empty*/
+					} else if (ldns_rr_get_type(nsecrr) == LDNS_RR_TYPE_NSEC3) {
+						hashed_name = ldns_nsec3_hash_name_frm_nsec3(nsecrr, labels[i]);
+						label0 = ldns_dname_label(ldns_rr_owner(nsecrr), 0);
+						if (hashed_name && label0 &&
+								ldns_dname_compare(hashed_name, label0) == 0 &&
+								ldns_nsec3_bitmap(nsecrr) == NULL) {
+							ent = true;
+						}
+						if (label0) {
+							LDNS_FREE(label0);
+						}
+						if (hashed_name) {
+							LDNS_FREE(hashed_name);
+						}
 					}
 				}
 				if (!ent) {