Follow-up from "Draft: Graceful dnssec-policy transition from NSEC only to NSEC3"

The following discussion from !6647 (merged) should be addressed:

@aram started a discussion: (+2 comments)

While reviewing, I checked dns_nsec3_activex() (because it is called by dns_zone_check_dnskey_nsec3()), and I think it's missing a dns_db_detachnode() there:

diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index fca6459343..253de1cab7 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1830,6 +1830,7 @@ dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, bool complete,

 try_private:
        if (privatetype == 0 || complete) {
+               dns_db_detachnode(db, &node);
                *answer = false;
                return (ISC_R_SUCCESS);
        }

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information