From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 1 Jun 2016 21:02:56 +0000 (+0200)
Subject: Recursor: +CD on queries forwarded to a recursor
X-Git-Tag: rec-4.0.0-rc1~8^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F3926%2Fhead;p=thirdparty%2Fpdns.git

Recursor: +CD on queries forwarded to a recursor
---

diff --git a/pdns/lwres.cc b/pdns/lwres.cc
index 3313d26c92..758296f8d0 100644
--- a/pdns/lwres.cc
+++ b/pdns/lwres.cc
@@ -65,7 +65,18 @@ int asyncresolve(const ComboAddress& ip, const DNSName& domain, int type, bool d
 
   pw.getHeader()->rd=sendRDQuery;
   pw.getHeader()->id=dns_random(0xffff);
-  
+  /* RFC 6840 section 5.9:
+   *  This document further specifies that validating resolvers SHOULD set
+   *  the CD bit on every upstream query.  This is regardless of whether
+   *  the CD bit was set on the incoming query [...]
+   *
+   * sendRDQuery is only true if the qname is part of a forward-zone-recurse (or
+   * set in the forward-zone-file), so we use this as an indicator for it being
+   * an "upstream query". To stay true to "dnssec=off means 3.X behaviour", we
+   * only set +CD on forwarded query in any mode other than dnssec=off.
+   */
+  pw.getHeader()->cd=(sendRDQuery && ::arg()["dnssec"] != "off");
+
   string ping;
   bool weWantEDNSSubnet=false;
   if(EDNS0Level && !doTCP) {