rrc.d_tag = 0;
// XXX we know the apex already.. is is the SOA name which we determined earlier
- if(!getSignerApexFor(dk, signQName, rrc.d_signer)) {
- cerr<<"No signer known for '"<<signQName<<"'\n";
+ if(!getSignerApexFor(dk, signQName, rrc.d_signer)) { // this is the cutout for signing non-dnssec enabled zones
+ // cerr<<"No signer known for '"<<signQName<<"'\n";
return -1;
}
// we sign the RRSET in toSign + the rrc w/o key
return;
if(getRRSIGsForRRSET(dk, wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrcs, signQType == QType::DNSKEY) < 0) {
- cerr<<"Error signing a record!"<<endl;
+ // cerr<<"Error signing a record!"<<endl;
return;
}
BOOST_FOREACH(RRSIGRecordContent& rrc, rrcs) {
rr.auth = 1;
r->addRecord(rr);
- if(p->d_dnssecOk)
+ if(p->d_dnssecOk && d_dk.haveActiveKSKFor(sd.qname))
addNSECX(p, r, target, sd.qname, 1);
r->setRcode(RCode::NXDomain);
rr.d_place=DNSResourceRecord::AUTHORITY;
rr.auth = 1;
r->addRecord(rr);
-
- if(p->d_dnssecOk)
+
+ if(p->d_dnssecOk && d_dk.haveActiveKSKFor(sd.qname))
addNSECX(p, r, target, sd.qname, 0);
S.ringAccount("noerror-queries",p->qdomain+"/"+p->qtype.getName());
continue; // skip SOA - would indicate end of AXFR
if(rr.qtype.getCode() == QType::NS) {
- cerr<<rr.qname<<" NS, auth="<<rr.auth<<endl;
+ // cerr<<rr.qname<<" NS, auth="<<rr.auth<<endl;
}
outpacket->addRecord(rr);
}
}
-
- for(nsecrepo_t::const_iterator iter = nsecrepo.begin(); iter != nsecrepo.end(); ++iter) {
- cerr<<"Adding for '"<<iter->first<<"'\n";
- NSECRecordContent nrc;
- nrc.d_set = iter->second;
- nrc.d_set.insert(QType::RRSIG);
- nrc.d_set.insert(QType::NSEC);
- if(boost::next(iter) != nsecrepo.end()) {
- nrc.d_next = boost::next(iter)->first;
+ if(dk.haveActiveKSKFor(sd.qname)) {
+ for(nsecrepo_t::const_iterator iter = nsecrepo.begin(); iter != nsecrepo.end(); ++iter) {
+ cerr<<"Adding for '"<<iter->first<<"'\n";
+ NSECRecordContent nrc;
+ nrc.d_set = iter->second;
+ nrc.d_set.insert(QType::RRSIG);
+ nrc.d_set.insert(QType::NSEC);
+ if(boost::next(iter) != nsecrepo.end()) {
+ nrc.d_next = boost::next(iter)->first;
+ }
+ else
+ nrc.d_next=nsecrepo.begin()->first;
+
+ rr.qname = iter->first;
+
+ rr.ttl = 3600;
+ rr.content = nrc.getZoneRepresentation();
+ rr.qtype = QType::NSEC;
+ rr.d_place = DNSResourceRecord::ANSWER;
+ outpacket->addRecord(rr);
+ count++;
}
- else
- nrc.d_next=nsecrepo.begin()->first;
-
- rr.qname = iter->first;
-
- rr.ttl = 3600;
- rr.content = nrc.getZoneRepresentation();
- rr.qtype = QType::NSEC;
- rr.d_place = DNSResourceRecord::ANSWER;
- outpacket->addRecord(rr);
- count++;
}
-
if(count) {
sendPacket(outpacket, outsock);
projects / pdns / commitdiff