don't add nsec3 records for insecure delegations in optout zones

author Kees Monshouwer <mind04@monshouwer.org>

Tue, 29 Mar 2016 07:39:49 +0000 (09:39 +0200)

committer mind04 <mind04@monshouwer.org>

Tue, 29 Mar 2016 07:39:49 +0000 (09:39 +0200)
author Kees Monshouwer <mind04@monshouwer.org>
Tue, 29 Mar 2016 07:39:49 +0000 (09:39 +0200)
committer mind04 <mind04@monshouwer.org>
Tue, 29 Mar 2016 07:39:49 +0000 (09:39 +0200)
diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc

index 1b25b8a7c0df4845982fb22a1a95d7b28c095475..926f4b477e3cafcda54c0ba7d680ff005e257559 100644 (file)
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -267,7 +267,7 @@ bool rectifyZone(DNSSECKeeper& dk, const DNSName& zone)
          sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, true, QType::DS);
        if (!auth || nsset.count(qname)) {
          ordername.clear();
-        if(isOptOut)
+        if(isOptOut && !dsnames.count(qname))
            sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, false, QType::NS);
          sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, false, QType::A);
          sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, false, QType::AAAA);
author	Kees Monshouwer <mind04@monshouwer.org>
	Tue, 29 Mar 2016 07:39:49 +0000 (09:39 +0200)
committer	mind04 <mind04@monshouwer.org>
	Tue, 29 Mar 2016 07:39:49 +0000 (09:39 +0200)