From: Kees Monshouwer <mind04@monshouwer.org>
Date: Fri, 26 Apr 2019 10:08:58 +0000 (+0200)
Subject: auth: add comments to explain the DS referall logic
X-Git-Tag: rec-4.2.0-rc1~36^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F7637%2Fhead;p=thirdparty%2Fpdns.git

auth: add comments to explain the DS referall logic
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 40ae41871d..8bc108a06a 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1455,6 +1455,9 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
       bool doReferral = true;
       if(d_dk.doesDNSSEC()) {
         for(auto& loopRR: rrset) {
+          // In a dnssec capable backend auth=true means, there is no delagation at
+          // or above this qname in this zone (for DS queries). Without a delegation,
+          // at or above this level, it is pointless to search for refferals.
           if(loopRR.auth) {
             doReferral = false;
             break;
@@ -1462,6 +1465,8 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
         }
       } else {
         for(auto& loopRR: rrset) {
+          // In a non dnssec capable backend auth is always true, so our only option
+          // is, always look for referals. Unless there is a direct match for DS.
           if(loopRR.dr.d_type == QType::DS) {
             doReferral = false;
             break;