don't calculate NSEC/NSEC3 chain for insecure zones on outgoing AXFR

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1963 d19b8d6e-7fed-0310-83ef-9ca221ded41b

diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index ab91b931a46a57f86dfeb079155ebacdf256fc04..3d5d6c3976b724120dbc54a0f10e1ad687de87ec 100644 (file)
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -421,7 +421,6 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
   bool narrow;
   bool NSEC3Zone=false;
   
-  
   DNSSECKeeper dk;
   bool securedZone = dk.isSecuredZone(target);
   if(dk.getNSEC3PARAM(target, &ns3pr, &narrow)) {
@@ -526,7 +525,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
   string keyname;
   
   while(sd.db->get(rr)) {
-    if(rr.auth || rr.qtype.getCode() == QType::NS || rr.qtype.getCode() == QType::DS) {
+    if(securedZone && (rr.auth || rr.qtype.getCode() == QType::NS || rr.qtype.getCode() == QType::DS)) {
       keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname) : rr.qname;
       NSECXEntry& ne = nsecxrepo[keyname];
       ne.d_set.insert(rr.qtype.getCode());
@@ -542,7 +541,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
     }
   }
   
-  if(dk.isSecuredZone(target)) {   
+  if(securedZone) {   
     if(NSEC3Zone) {
       for(nsecxrepo_t::const_iterator iter = nsecxrepo.begin(); iter != nsecxrepo.end(); ++iter) {
         NSEC3RecordContent n3rc;