Add a comment explaining things.

author Otto Moerbeek <otto.moerbeek@open-xchange.com>

Fri, 25 Oct 2019 12:05:22 +0000 (14:05 +0200)

committer Otto Moerbeek <otto.moerbeek@open-xchange.com>

Fri, 25 Oct 2019 12:06:29 +0000 (14:06 +0200)
author Otto Moerbeek <otto.moerbeek@open-xchange.com>
Fri, 25 Oct 2019 12:05:22 +0000 (14:05 +0200)
committer Otto Moerbeek <otto.moerbeek@open-xchange.com>
Fri, 25 Oct 2019 12:06:29 +0000 (14:06 +0200)
diff --git a/pdns/reczones.cc b/pdns/reczones.cc

index d5294a44c31f044c4a3d350db1ce2ff35e021cb2..dc72ab93297deba8dac282d90350286ddc136410 100644 (file)
--- a/pdns/reczones.cc
+++ b/pdns/reczones.cc
@@ -97,11 +97,17 @@ void primeHints(void)
    }
    t_RC->doWipeCache(g_rootdnsname, false, QType::NS);
    t_RC->replace(time(0), g_rootdnsname, QType(QType::NS), nsset, vector<std::shared_ptr<RRSIGRecordContent>>(), vector<std::shared_ptr<DNSRecord>>(), false, boost::none, validationState); // and stuff in the cache
-
-  
-
  }
  
+
+// Do not only put the root hints into the cache, but also make sure
+// the NS records of the top level domains of the names of the root
+// servers are in the cache. We need these to correctly determine the
+// security status of that specific domain (normally
+// root-servers.net). This is caused by the accident that the root
+// servers are authoritative for root-servers.net, and some
+// implementations reply not with a delegation on a root-servers.net
+// DS query, but with a NODATA response (the domain is unsigned).
  void primeRootNSZones(bool dnssecmode)
  {
    struct timeval now;
author	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Fri, 25 Oct 2019 12:05:22 +0000 (14:05 +0200)
committer	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Fri, 25 Oct 2019 12:06:29 +0000 (14:06 +0200)