From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 17 Jun 2019 08:40:57 +0000 (+0200)
Subject: rec: Add comments to clarify the no DS case when detecting zone cuts
X-Git-Tag: dnsdist-1.4.0-rc1~120^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F7928%2Fhead;p=thirdparty%2Fpdns.git

rec: Add comments to clarify the no DS case when detecting zone cuts
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index fa73da9945..968726fbec 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1784,6 +1784,10 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsi
 
     if (rcode == RCode::NoError) {
       if (ds.empty()) {
+        /* we have no DS, it's either:
+           - a delegation to a non-DNSSEC signed zone
+           - no delegation, we stay in the same zone
+        */
         if (gotCNAME || denialProvesNoDelegation(zone, dsrecords)) {
           /* we are still inside the same zone */
 
@@ -1798,6 +1802,10 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsi
           *foundCut = true;
         }
 
+        /* a delegation with no DS is either:
+           - a signed zone (Secure) to an unsigned one (Insecure)
+           - an unsigned zone to another unsigned one (Insecure stays Insecure, Bogus stays Bogus)
+        */
         return state == Secure ? Insecure : state;
       } else {
         /* we have a DS */