From 7cd992965a60d83eedac56c89fba7a1d5b69c993 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 28 Jul 2016 15:17:39 +0200
Subject: [PATCH] don't send covering nsec records for direct nsec queries

---
 pdns/packethandler.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 90a66d279..843d27516 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -700,7 +700,8 @@ void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const DNSName& target, c
 
   DNSName before,after;
   sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after);
-  emitNSEC(r, sd, before, after, mode);
+  if (mode != 5 || before == target)
+    emitNSEC(r, sd, before, after, mode);
 
   if (mode == 2 || mode == 4) {
     // wildcard NO-DATA or wildcard denial
@@ -1330,7 +1331,8 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     // this TRUMPS a cname!
     if(p->qtype.getCode() == QType::NSEC && d_dk.isSecuredZone(sd.qname) && !d_dk.getNSEC3PARAM(sd.qname, 0)) {
       addNSEC(p, r, target, DNSName(), sd.qname, 5);
-      goto sendit;
+      if (!r->isEmpty())
+        goto sendit;
     }
 
     // this TRUMPS a cname!
-- 
2.40.0