rec: Add comments to clarify the no DS case when detecting zone cuts

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index fa73da9945682f1d3158dfbec25b7033dfc85b97..968726fbec4cd24a40afd6c96223571c8c72b5f4 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1784,6 +1784,10 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsi
 
     if (rcode == RCode::NoError) {
       if (ds.empty()) {
+        /* we have no DS, it's either:
+           - a delegation to a non-DNSSEC signed zone
+           - no delegation, we stay in the same zone
+        */
         if (gotCNAME || denialProvesNoDelegation(zone, dsrecords)) {
           /* we are still inside the same zone */
 
@@ -1798,6 +1802,10 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsi
           *foundCut = true;
         }
 
+        /* a delegation with no DS is either:
+           - a signed zone (Secure) to an unsigned one (Insecure)
+           - an unsigned zone to another unsigned one (Insecure stays Insecure, Bogus stays Bogus)
+        */
         return state == Secure ? Insecure : state;
       } else {
         /* we have a DS */