From: Kees Monshouwer <mind04@monshouwer.org>
Date: Sat, 9 Jul 2016 16:50:38 +0000 (+0200)
Subject: improve dnssec record skipping for non dnssec queries
X-Git-Tag: auth-4.0.1~31^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F4119%2Fhead;p=thirdparty%2Fpdns.git

improve dnssec record skipping for non dnssec queries
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 2f2f404829..4043131f94 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -952,8 +952,20 @@ void startDoResolve(void *p)
 
       bool needCommit = false;
       for(auto i=ret.cbegin(); i!=ret.cend(); ++i) {
-        if(!DNSSECOK && (i->d_type == QType::RRSIG || i->d_type==QType::NSEC || i->d_type==QType::NSEC3))
+        if( ! DNSSECOK &&
+            ( i->d_type == QType::NSEC3 ||
+              (
+                ( i->d_type == QType::RRSIG || i->d_type==QType::NSEC ) &&
+                (
+                  ( dc->d_mdp.d_qtype != i->d_type &&  dc->d_mdp.d_qtype != QType::ANY ) ||
+                  i->d_place != DNSResourceRecord::ANSWER
+                )
+              )
+            )
+          ) {
           continue;
+        }
+
 	pw.startRecord(i->d_name, i->d_type, i->d_ttl, i->d_class, i->d_place);
 	if(i->d_type != QType::OPT) // their TTL ain't real
 	  minTTL = min(minTTL, i->d_ttl);