From: phonedph1 <phoned@gmail.com>
Date: Mon, 10 Sep 2018 17:32:07 +0000 (+0000)
Subject: If we have root-nx-trust on (default) and we have an neg SOA for ., and we sent to... 
X-Git-Tag: auth-4.2.0-alpha1~42^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2ef32aec043867ffe2251f0a10f98d6423cc7b3e;p=thirdparty%2Fpdns.git

If we have root-nx-trust on (default) and we have an neg SOA for ., and we sent to . make sure we have AA=1 too.

This prevents forward zones from providing bogus data.
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index ac94aa7fb4..f5e186e9db 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2264,7 +2264,7 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co
       */
       if(!wasVariable() && newtarget.empty()) {
         t_sstorage.negcache.add(ne);
-        if(s_rootNXTrust && ne.d_auth.isRoot() && auth.isRoot()) {
+        if(s_rootNXTrust && ne.d_auth.isRoot() && auth.isRoot() && lwr.d_aabit) {
           ne.d_name = ne.d_name.getLastLabel();
           t_sstorage.negcache.add(ne);
         }