From b9dba5c15e7653073be6095506b081ba97d1c57d Mon Sep 17 00:00:00 2001
From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Sun, 30 Jan 2011 21:19:03 +0000
Subject: [PATCH] if I understand things correctly, powerdns does 'opt-out'
 NSEC3, but we did not say that in the NSEC3/NSEC3PARAM. I hope I got it right
 ;-)

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1939 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---
 pdns/packethandler.cc | 2 +-
 pdns/pdnssec.cc       | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index f2f94508af..02b703abf8 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -483,7 +483,7 @@ void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOADa
   NSEC3RecordContent n3rc;
   n3rc.d_set.insert(QType::RRSIG);
   n3rc.d_salt=ns3prc.d_salt;
-  n3rc.d_flags = 0;
+  n3rc.d_flags = ns3prc.d_flags;
   n3rc.d_iterations = ns3prc.d_iterations;
   n3rc.d_algorithm = 1; // SHA1, fixed in PowerDNS for now
 
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 92c60ba411..959b673e5c 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -442,9 +442,14 @@ try
     showZone(dk, zone);
   }
   else if(cmds[0]=="set-nsec3") {
-    string nsec3params =  cmds.size() > 2 ? cmds[2] : "1 0 1 ab";
+    string nsec3params =  cmds.size() > 2 ? cmds[2] : "1 1 1 ab";
     bool narrow = cmds.size() > 3 && cmds[3]=="narrow";
     NSEC3PARAMRecordContent ns3pr(nsec3params);
+    if(!ns3pr.d_flags) {
+      cerr<<"PowerDNS only implements opt-out zones, please set the second parameter to '1' (example, '1 1 1 ab')"<<endl;
+      return 0;
+    }
+    
     dk.setNSEC3PARAM(cmds[1], ns3pr, narrow);
   }
   else if(cmds[0]=="set-presigned") {
-- 
2.47.3