From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 12 Mar 2015 16:38:51 +0000 (+0100)
Subject: NSEC3 and related RRSIGS are not part of the dnstree
X-Git-Tag: auth-3.3.2~2^2~12
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d768d7f2ad094b089e4f99aa4f9a20271da9b40b;p=pdns

NSEC3 and related RRSIGS are not part of the dnstree
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 12760ec8b..2a85cdfed 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1159,12 +1159,10 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     weDone = weRedirected = weHaveUnauth = 0;
     
     while(B.get(rr)) {
-      if (p->qtype.getCode() == QType::ANY) {
-        if (rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
-          continue; // TODO: this actually means addRRSig should check if the RRSig is already there.
-        if (!p->d_dnssecOk && (rr.qtype.getCode() == QType:: DNSKEY || rr.qtype.getCode() == QType::NSEC3PARAM))
-          continue; // Don't send dnssec info to non validating resolvers.
-      }
+      if (p->qtype.getCode() == QType::ANY && !p->d_dnssecOk && (rr.qtype.getCode() == QType:: DNSKEY || rr.qtype.getCode() == QType::NSEC3PARAM))
+        continue; // Don't send dnssec info to non validating resolvers.
+      if (rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
+        continue; // TODO: this actually means addRRSig should check if the RRSig is already there
 
       // cerr<<"Auth: "<<rr.auth<<", "<<(rr.qtype == p->qtype)<<", "<<rr.qtype.getName()<<endl;
       if((p->qtype.getCode() == QType::ANY || rr.qtype == p->qtype) && rr.auth)