From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 2 May 2019 18:01:30 +0000 (+0200)
Subject: auth: always add DS for secure zones, broken since #7523
X-Git-Tag: rec-4.2.0-rc1~33^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F7772%2Fhead;p=thirdparty%2Fpdns.git

auth: always add DS for secure zones, broken since #7523
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index f626ff95f8..9d686a69fe 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1031,7 +1031,7 @@ bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const DN
   if(!retargeted)
     r->setA(false);
 
-  if(d_dnssec && !addDSforNS(p, r, sd, rrset.begin()->dr.d_name)) {
+  if(d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->dr.d_name) && d_dnssec) {
     addNSECX(p, r, rrset.begin()->dr.d_name, DNSName(), sd.qname, 1);
   }