rec: Skip the aggressive NSEC cache for internal and forward zones

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 122d71ff9bc36bc1841c2e39ab0aee020feb7d86..3af286e4a43d2b8b0ae331295976809136dd00c9 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1944,7 +1944,7 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool w
   }
 
   /* let's check if we have a NSEC covering that record */
-  if (g_aggressiveNSECCache) {
+  if (g_aggressiveNSECCache && !wasForwardedOrAuthZone) {
     if (g_aggressiveNSECCache->getDenial(d_now.tv_sec, qname, qtype, ret, res, d_cacheRemote, d_routingTag, d_doDNSSEC)) {
       state = vState::Secure;
       return true;