From a55f0208fc180e8ee51e7b0d017441a51ffb40cf Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 24 Feb 2021 18:20:30 +0100
Subject: [PATCH] rec: Skip the aggressive NSEC cache for internal and forward
 zones

---
 pdns/syncres.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 122d71ff9b..3af286e4a4 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1944,7 +1944,7 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool w
   }
 
   /* let's check if we have a NSEC covering that record */
-  if (g_aggressiveNSECCache) {
+  if (g_aggressiveNSECCache && !wasForwardedOrAuthZone) {
     if (g_aggressiveNSECCache->getDenial(d_now.tv_sec, qname, qtype, ret, res, d_cacheRemote, d_routingTag, d_doDNSSEC)) {
       state = vState::Secure;
       return true;
-- 
2.47.2