From 186f3b156133d18a122786f1c6117c241080740a Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 28 Apr 2017 19:01:26 +0200
Subject: [PATCH] rec: Skip DNSSEC validation for cache hits from authoritative
 zones

(cherry picked from commit 129bb0c322b6a20860c14f0b1bcfcad2bd586389)
---
 pdns/syncres.cc | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 11f35b0ff..d945df972 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -770,7 +770,16 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSR
   QType qtnull(0);
 
   DNSName authname(qname);
-  bool wasForwardedOrAuth = (getBestAuthZone(&authname) != t_sstorage->domainmap->end());
+  bool wasForwardedOrAuth = false;
+  bool wasAuth = false;
+  domainmap_t::const_iterator iter=getBestAuthZone(&authname);
+  if(iter != t_sstorage->domainmap->end()) {
+    wasForwardedOrAuth = true;
+    const vector<ComboAddress>& servers = iter->second.d_servers;
+    if(servers.empty()) {
+      wasAuth = true;
+    }
+  }
 
   if(s_rootNXTrust &&
      (range.first=t_sstorage->negcache.find(tie(getLastLabel(qname), qtnull))) != t_sstorage->negcache.end() &&
@@ -865,6 +874,7 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSR
     if(found && !expired) {
       if(!giveNegative)
         res=0;
+      d_wasOutOfBand = wasAuth;
       return true;
     }
     else
-- 
2.40.0