rec: Skip DNSSEC validation for cache hits from authoritative zones

(cherry picked from commit 129bb0c322b6a20860c14f0b1bcfcad2bd586389)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 11f35b0ff287f4ad6e06de7d3e9cbdc1d7b71b1b..d945df97256b8b9c6a325af005a4a47b851ce995 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -770,7 +770,16 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSR
   QType qtnull(0);
 
   DNSName authname(qname);
-  bool wasForwardedOrAuth = (getBestAuthZone(&authname) != t_sstorage->domainmap->end());
+  bool wasForwardedOrAuth = false;
+  bool wasAuth = false;
+  domainmap_t::const_iterator iter=getBestAuthZone(&authname);
+  if(iter != t_sstorage->domainmap->end()) {
+    wasForwardedOrAuth = true;
+    const vector<ComboAddress>& servers = iter->second.d_servers;
+    if(servers.empty()) {
+      wasAuth = true;
+    }
+  }
 
   if(s_rootNXTrust &&
      (range.first=t_sstorage->negcache.find(tie(getLastLabel(qname), qtnull))) != t_sstorage->negcache.end() &&
@@ -865,6 +874,7 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSR
     if(found && !expired) {
       if(!giveNegative)
         res=0;
+      d_wasOutOfBand = wasAuth;
       return true;
     }
     else