When deciding if we are auth in the local auth or forwarding case,

for DS records we need to look at the parent of the particular name.

Seems to fix #9433

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index efa6343b2cda1b188da5fba5c8c810e965ae0043..df689a6f69ba7a7774ad8cd1b1766ad9064655a6 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2942,6 +2942,10 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
         if (!t_sstorage.domainmap->empty()) {
           // Check if we are authoritative for a zone in this answer
           DNSName tmp_qname(rec.d_name);
+          // We may be auth for domain example.com, but the DS record needs to come from the parent (.com) nameserver
+          if (rec.d_type == QType::DS) {
+            tmp_qname.chopOff();
+          }
           auto auth_domain_iter=getBestAuthZone(&tmp_qname);
           if(auth_domain_iter!=t_sstorage.domainmap->end() &&
              auth.countLabels() <= auth_domain_iter->first.countLabels()) {