From 16cf9135f3e3fd4af95f0945bd95a4dbf57e9bf6 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Tue, 28 May 2013 10:04:34 +0200
Subject: [PATCH] make superfluous 'bind' NSEC3 record optional

---
 pdns/common_startup.cc | 3 +++
 pdns/common_startup.hh | 1 +
 pdns/packethandler.cc  | 4 ++--
 pdns/pdns.conf-dist    | 5 +++++
 4 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index ba8df88d2..044b38f7b 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -17,6 +17,7 @@
 */
 #include "common_startup.hh"
 bool g_anyToTcp;
+bool g_addSuperfluousNSEC3;
 typedef Distributor<DNSPacket,DNSPacket,PacketHandler> DNSDistributor;
 
 
@@ -141,6 +142,7 @@ void declareArguments()
 
   ::arg().setSwitch("traceback-handler","Enable the traceback handler (Linux only)")="yes";
   ::arg().setSwitch("experimental-direct-dnskey","EXPERIMENTAL: fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
+  ::arg().setSwitch("add-superfluous-nsec3-for-old-bind","Add superfluous NSEC3 record to positive wildcard response")="yes";
   ::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256";
   ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
   ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
@@ -334,6 +336,7 @@ void mainthread()
      newuid=Utility::makeUidNumeric(::arg()["setuid"]); 
    
    g_anyToTcp = ::arg().mustDo("any-to-tcp");
+   g_addSuperfluousNSEC3 = ::arg().mustDo("add-superfluous-nsec3-for-old-bind");
    DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing");
    
 #ifndef WIN32
diff --git a/pdns/common_startup.hh b/pdns/common_startup.hh
index 713884941..95ef5f8cc 100644
--- a/pdns/common_startup.hh
+++ b/pdns/common_startup.hh
@@ -50,5 +50,6 @@ extern void mainthread();
 extern int isGuarded( char ** );
 
 extern bool g_anyToTcp;
+extern bool g_addSuperfluousNSEC3;
 
 #endif // COMMON_STARTUP_HH
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 549cac397..5d6272b4a 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -603,7 +603,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
   // add matching NSEC3 RR
   // we used to skip this one for mode 3, but old BIND needs it
   // see https://github.com/PowerDNS/pdns/issues/814
-  // if (mode != 3) {
+  if (mode != 3 || g_addSuperfluousNSEC3) {
     unhashed=(mode == 0 || mode == 5) ? target : closest;
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
@@ -612,7 +612,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after);
     DLOG(L<<"Done calling for matching, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
     emitNSEC3(ns3rc, sd, unhashed, before, after, target, r, mode);
-  // }
+  }
 
   // add covering NSEC3 RR
   if (mode != 0 && mode != 5) {
diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist
index 2289a9bf8..c512de983 100644
--- a/pdns/pdns.conf-dist
+++ b/pdns/pdns.conf-dist
@@ -1,4 +1,9 @@
 # Autogenerated configuration file template
+#################################
+# add-superfluous-nsec3-for-old-bind	Add superfluous NSEC3 record to positive wildcard response
+#
+# add-superfluous-nsec3-for-old-bind=yes
+
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
-- 
2.50.1