From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 2 May 2019 18:01:30 +0000 (+0200)
Subject: auth: always add DS for secure zones, broken since #7523
X-Git-Tag: rec-4.2.0-rc1~33^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=fc8ed1ad6e818a386f8142c9085e34a849db5c9e;p=pdns

auth: always add DS for secure zones, broken since #7523
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index f626ff95f..9d686a69f 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1031,7 +1031,7 @@ bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const DN
   if(!retargeted)
     r->setA(false);
 
-  if(d_dnssec && !addDSforNS(p, r, sd, rrset.begin()->dr.d_name)) {
+  if(d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->dr.d_name) && d_dnssec) {
     addNSECX(p, r, rrset.begin()->dr.d_name, DNSName(), sd.qname, 1);
   }