auth: always add DS for secure zones, broken since #7523

author Kees Monshouwer <mind04@monshouwer.org>

Thu, 2 May 2019 18:01:30 +0000 (20:01 +0200)

committer mind04 <mind04@monshouwer.org>

Thu, 2 May 2019 18:16:26 +0000 (20:16 +0200)
author Kees Monshouwer <mind04@monshouwer.org>
Thu, 2 May 2019 18:01:30 +0000 (20:01 +0200)
committer mind04 <mind04@monshouwer.org>
Thu, 2 May 2019 18:16:26 +0000 (20:16 +0200)
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc

index f626ff95f84337b5328b956e25356e6de4a3cfe2..9d686a69fe80b2355285e660436f63faa147d50f 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1031,7 +1031,7 @@ bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const DN
    if(!retargeted)
      r->setA(false);
  
-  if(d_dnssec && !addDSforNS(p, r, sd, rrset.begin()->dr.d_name)) {
+  if(d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->dr.d_name) && d_dnssec) {
      addNSECX(p, r, rrset.begin()->dr.d_name, DNSName(), sd.qname, 1);
    }
author	Kees Monshouwer <mind04@monshouwer.org>
	Thu, 2 May 2019 18:01:30 +0000 (20:01 +0200)
committer	mind04 <mind04@monshouwer.org>
	Thu, 2 May 2019 18:16:26 +0000 (20:16 +0200)