From fc8ed1ad6e818a386f8142c9085e34a849db5c9e Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 2 May 2019 20:01:30 +0200
Subject: [PATCH] auth: always add DS for secure zones, broken since #7523

---
 pdns/packethandler.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index f626ff95f..9d686a69f 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1031,7 +1031,7 @@ bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const DN
   if(!retargeted)
     r->setA(false);
 
-  if(d_dnssec && !addDSforNS(p, r, sd, rrset.begin()->dr.d_name)) {
+  if(d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->dr.d_name) && d_dnssec) {
     addNSECX(p, r, rrset.begin()->dr.d_name, DNSName(), sd.qname, 1);
   }
 
-- 
2.40.0