From 87c261bcddd25cea34885c4b49bb88641ed24c9e Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 14 Nov 2018 13:11:24 +0100
Subject: [PATCH] auth: add back isPartOf check in additional processing

Some backends (e.g. the LDAP backend, and the remote backend when the
operator does not provide an id) do not have an id per zone. This would
still add out of zone data to the additional section.
---
 pdns/packethandler.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 2ad9f567a..b82abb926 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -463,6 +463,11 @@ int PacketHandler::doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, c
       while(B.get(rr)) {
         if(rr.dr.d_type != QType::A && rr.dr.d_type!=QType::AAAA)
           continue;
+        if(!rr.dr.d_name.isPartOf(soadata.qname)) {
+          // FIXME we might still pass on the record if it is occluded and the
+          // backend uses a single id for all zones
+          continue;
+        }
         rr.dr.d_place=DNSResourceRecord::ADDITIONAL;
         toAdd.push_back(rr);
       }
-- 
2.40.0