From 420faf6bfae92ec9b14ab8cf57b70eced555ca5b Mon Sep 17 00:00:00 2001
From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Wed, 2 Feb 2011 08:47:56 +0000
Subject: [PATCH] don't calculate NSEC/NSEC3 chain for insecure zones on
 outgoing AXFR

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1963 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---
 pdns/tcpreceiver.cc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index ab91b931a4..3d5d6c3976 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -421,7 +421,6 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
   bool narrow;
   bool NSEC3Zone=false;
   
-  
   DNSSECKeeper dk;
   bool securedZone = dk.isSecuredZone(target);
   if(dk.getNSEC3PARAM(target, &ns3pr, &narrow)) {
@@ -526,7 +525,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
   string keyname;
   
   while(sd.db->get(rr)) {
-    if(rr.auth || rr.qtype.getCode() == QType::NS || rr.qtype.getCode() == QType::DS) {
+    if(securedZone && (rr.auth || rr.qtype.getCode() == QType::NS || rr.qtype.getCode() == QType::DS)) {
       keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname) : rr.qname;
       NSECXEntry& ne = nsecxrepo[keyname];
       ne.d_set.insert(rr.qtype.getCode());
@@ -542,7 +541,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
     }
   }
   
-  if(dk.isSecuredZone(target)) {   
+  if(securedZone) {   
     if(NSEC3Zone) {
       for(nsecxrepo_t::const_iterator iter = nsecxrepo.begin(); iter != nsecxrepo.end(); ++iter) {
         NSEC3RecordContent n3rc;
-- 
2.47.3