auth: add comments to explain the DS referall logic

author Kees Monshouwer <mind04@monshouwer.org>

Fri, 26 Apr 2019 10:08:58 +0000 (12:08 +0200)

committer mind04 <mind04@monshouwer.org>

Fri, 26 Apr 2019 10:15:06 +0000 (12:15 +0200)
author Kees Monshouwer <mind04@monshouwer.org>
Fri, 26 Apr 2019 10:08:58 +0000 (12:08 +0200)
committer mind04 <mind04@monshouwer.org>
Fri, 26 Apr 2019 10:15:06 +0000 (12:15 +0200)
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc

index 40ae41871d5619c386dd115d00ce7e372f52c4f1..8bc108a06a120758f46067af70139b4030af4a52 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1455,6 +1455,9 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
        bool doReferral = true;
        if(d_dk.doesDNSSEC()) {
          for(auto& loopRR: rrset) {
+          // In a dnssec capable backend auth=true means, there is no delagation at
+          // or above this qname in this zone (for DS queries). Without a delegation,
+          // at or above this level, it is pointless to search for refferals.
            if(loopRR.auth) {
              doReferral = false;
              break;
@@ -1462,6 +1465,8 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
          }
        } else {
          for(auto& loopRR: rrset) {
+          // In a non dnssec capable backend auth is always true, so our only option
+          // is, always look for referals. Unless there is a direct match for DS.
            if(loopRR.dr.d_type == QType::DS) {
              doReferral = false;
              break;
author	Kees Monshouwer <mind04@monshouwer.org>
	Fri, 26 Apr 2019 10:08:58 +0000 (12:08 +0200)
committer	mind04 <mind04@monshouwer.org>
	Fri, 26 Apr 2019 10:15:06 +0000 (12:15 +0200)