auth: fix referral response for DS queries

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 72888474af8ceaf1711e7fbd5214d1453730ebfb..40ae41871d5619c386dd115d00ce7e372f52c4f1 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1448,19 +1448,38 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
       return 0;
     }
 
-    if(rrset.empty()) {
-      DLOG(g_log<<"checking if qtype is DS"<<endl);
-      if(p->qtype.getCode() == QType::DS)
-      {
+
+    // referral for DS query
+    if(p->qtype.getCode() == QType::DS) {
+      DLOG(g_log<<"Qtype is DS"<<endl);
+      bool doReferral = true;
+      if(d_dk.doesDNSSEC()) {
+        for(auto& loopRR: rrset) {
+          if(loopRR.auth) {
+            doReferral = false;
+            break;
+          }
+        }
+      } else {
+        for(auto& loopRR: rrset) {
+          if(loopRR.dr.d_type == QType::DS) {
+            doReferral = false;
+            break;
+          }
+        }
+      }
+      if(doReferral) {
         DLOG(g_log<<"DS query found no direct result, trying referral now"<<endl);
         if(tryReferral(p, r, sd, target, retargetcount))
         {
-          DLOG(g_log<<"got referral for DS query"<<endl);
+          DLOG(g_log<<"Got referral for DS query"<<endl);
           goto sendit;
         }
       }
+    }
 
 
+    if(rrset.empty()) {
       DLOG(g_log<<Logger::Warning<<"Found nothing in the by-name ANY, but let's try wildcards.."<<endl);
       bool wereRetargeted(false), nodata(false);
       DNSName wildcard;