From: Kees Monshouwer <mind04@monshouwer.org>
Date: Tue, 10 Nov 2020 19:12:06 +0000 (+0100)
Subject: auth: #9496 was incomplete, ignore cryptokeys in emitNSEC() and emitNSEC3()
X-Git-Tag: auth-4.4.0-beta1~3^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2d16d4e67dcbd0ade440caf0dce421e6f1e3c234;p=thirdparty%2Fpdns.git

auth: #9496 was incomplete, ignore cryptokeys in emitNSEC() and emitNSEC3()
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 1cdb4470b8..333d05df15 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -564,19 +564,21 @@ void PacketHandler::emitNSEC(std::unique_ptr<DNSPacket>& r, const SOAData& sd, c
   nrc.set(QType::RRSIG);
   if(sd.qname == name) {
     nrc.set(QType::SOA); // 1dfd8ad SOA can live outside the records table
-    auto keyset = d_dk.getKeys(name);
-    for(const auto& value: keyset) {
-      if (value.second.published) {
-        nrc.set(QType::DNSKEY);
-        string publishCDNSKEY;
-        d_dk.getPublishCDNSKEY(name, publishCDNSKEY);
-        if (! publishCDNSKEY.empty())
-          nrc.set(QType::CDNSKEY);
-        string publishCDS;
-        d_dk.getPublishCDS(name, publishCDS);
-        if (! publishCDS.empty())
-          nrc.set(QType::CDS);
-        break;
+    if(!d_dk.isPresigned(sd.qname)) {
+      auto keyset = d_dk.getKeys(name);
+      for(const auto& value: keyset) {
+        if (value.second.published) {
+          nrc.set(QType::DNSKEY);
+          string publishCDNSKEY;
+          d_dk.getPublishCDNSKEY(name, publishCDNSKEY);
+          if (! publishCDNSKEY.empty())
+            nrc.set(QType::CDNSKEY);
+          string publishCDS;
+          d_dk.getPublishCDS(name, publishCDS);
+          if (! publishCDS.empty())
+            nrc.set(QType::CDS);
+          break;
+        }
       }
     }
   }
@@ -619,19 +621,21 @@ void PacketHandler::emitNSEC3(std::unique_ptr<DNSPacket>& r, const SOAData& sd,
     if (sd.qname == name) {
       n3rc.set(QType::SOA); // 1dfd8ad SOA can live outside the records table
       n3rc.set(QType::NSEC3PARAM);
-      auto keyset = d_dk.getKeys(name);
-      for(const auto& value: keyset) {
-        if (value.second.published) {
-          n3rc.set(QType::DNSKEY);
-          string publishCDNSKEY;
-          d_dk.getPublishCDNSKEY(name, publishCDNSKEY);
-          if (! publishCDNSKEY.empty())
-            n3rc.set(QType::CDNSKEY);
-          string publishCDS;
-          d_dk.getPublishCDS(name, publishCDS);
-          if (! publishCDS.empty())
-            n3rc.set(QType::CDS);
-          break;
+      if(!d_dk.isPresigned(sd.qname)) {
+        auto keyset = d_dk.getKeys(name);
+        for(const auto& value: keyset) {
+          if (value.second.published) {
+            n3rc.set(QType::DNSKEY);
+            string publishCDNSKEY;
+            d_dk.getPublishCDNSKEY(name, publishCDNSKEY);
+            if (! publishCDNSKEY.empty())
+              n3rc.set(QType::CDNSKEY);
+            string publishCDS;
+            d_dk.getPublishCDS(name, publishCDS);
+            if (! publishCDS.empty())
+              n3rc.set(QType::CDS);
+            break;
+          }
         }
       }
     }