From: Pieter Lexis Date: Tue, 12 Jul 2016 10:09:30 +0000 (+0200) Subject: Also validate on _only_ +DO X-Git-Tag: auth-4.0.1~43^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=885c88814ab0ef6d487d821f2f0fbd8add34e65c;p=thirdparty%2Fpdns.git Also validate on _only_ +DO Closes #4159 --- diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 2f2f404829..af9d057bae 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -888,7 +888,7 @@ void startDoResolve(void *p) pw.getHeader()->rcode=res; // Does the validation mode or query demand validation? - if(g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog || (dc->d_mdp.d_header.ad && g_dnssecmode==DNSSECMode::Process)) { + if(g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog || ((dc->d_mdp.d_header.ad || DNSSECOK) && g_dnssecmode==DNSSECMode::Process)) { try { if(sr.doLog()) { L<d_mdp.d_qname<<" for "<d_remote.toStringWithPort()<d_mdp.d_header.ad) + if (dc->d_mdp.d_header.ad || DNSSECOK) pw.getHeader()->ad=1; } else if(state == Insecure) { @@ -917,7 +917,7 @@ void startDoResolve(void *p) } // Does the query or validation mode sending out a SERVFAIL on validation errors? - if(!pw.getHeader()->cd && (g_dnssecmode == DNSSECMode::ValidateAll || dc->d_mdp.d_header.ad)) { + if(!pw.getHeader()->cd && (g_dnssecmode == DNSSECMode::ValidateAll || dc->d_mdp.d_header.ad || DNSSECOK)) { if(sr.doLog()) { L<d_mdp.d_qname<<" because recursor or query demands it for Bogus results"<