From b17799a96bacb782b31b7255726cc1a6a5b3c840 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 12 Mar 2015 17:38:51 +0100
Subject: [PATCH] NSEC3 and related RRSIGS are not part of the dnstree

---
 pdns/packethandler.cc                                  | 10 ++++------
 regression-tests/tests/nsec3-hash-query/command        |  2 ++
 regression-tests/tests/nsec3-hash-query/description    |  1 +
 .../tests/nsec3-hash-query/expected_result             |  3 +++
 4 files changed, 10 insertions(+), 6 deletions(-)
 create mode 100755 regression-tests/tests/nsec3-hash-query/command
 create mode 100644 regression-tests/tests/nsec3-hash-query/description
 create mode 100644 regression-tests/tests/nsec3-hash-query/expected_result

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 1ab5118a0..13da01b0d 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1177,12 +1177,10 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     weDone = weRedirected = weHaveUnauth =  false;
     
     while(B.get(rr)) {
-      if (p->qtype.getCode() == QType::ANY) {
-        if (rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
-          continue; // TODO: this actually means addRRSig should check if the RRSig is already there.
-        if (!p->d_dnssecOk && (rr.qtype.getCode() == QType:: DNSKEY || rr.qtype.getCode() == QType::NSEC3PARAM))
-          continue; // Don't send dnssec info to non validating resolvers.
-      }
+      if (p->qtype.getCode() == QType::ANY && !p->d_dnssecOk && (rr.qtype.getCode() == QType:: DNSKEY || rr.qtype.getCode() == QType::NSEC3PARAM))
+        continue; // Don't send dnssec info to non validating resolvers.
+      if (rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
+        continue; // TODO: this actually means addRRSig should check if the RRSig is already there
 
       // cerr<<"Auth: "<<rr.auth<<", "<<(rr.qtype == p->qtype)<<", "<<rr.qtype.getName()<<endl;
       if((p->qtype.getCode() == QType::ANY || rr.qtype == p->qtype) && rr.auth) 
diff --git a/regression-tests/tests/nsec3-hash-query/command b/regression-tests/tests/nsec3-hash-query/command
new file mode 100755
index 000000000..a41f17c9d
--- /dev/null
+++ b/regression-tests/tests/nsec3-hash-query/command
@@ -0,0 +1,2 @@
+#!/bin/sh
+cleandig vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com A
diff --git a/regression-tests/tests/nsec3-hash-query/description b/regression-tests/tests/nsec3-hash-query/description
new file mode 100644
index 000000000..4bc5b05b4
--- /dev/null
+++ b/regression-tests/tests/nsec3-hash-query/description
@@ -0,0 +1 @@
+NSEC3 hashes are no part of the dns tree.
diff --git a/regression-tests/tests/nsec3-hash-query/expected_result b/regression-tests/tests/nsec3-hash-query/expected_result
new file mode 100644
index 000000000..e178b0102
--- /dev/null
+++ b/regression-tests/tests/nsec3-hash-query/expected_result
@@ -0,0 +1,3 @@
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.', qtype=A
-- 
2.40.0