From 597e49e2db272064888df16eeadaa5b91e175595 Mon Sep 17 00:00:00 2001
From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Mon, 21 Jun 2021 16:54:16 +0200
Subject: [PATCH] auth: correctly respect direct-dnskey when putting
 DNSKEY/CDS/CDNSKEY in NSEC(3) bitmaps. Thanks @mind04. Fixes #10516

---
 pdns/packethandler.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 6c568b583f..84a6bd983e 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -627,6 +627,9 @@ void PacketHandler::emitNSEC(std::unique_ptr<DNSPacket>& r, const DNSName& name,
       nrc.set(QType::A);
       nrc.set(QType::AAAA);
     }
+    else if((rr.dr.d_type == QType::DNSKEY || rr.dr.d_type == QType::CDS || rr.dr.d_type == QType::CDNSKEY) && !d_dk.isPresigned(d_sd.qname) && !::arg().mustDo("direct-dnskey")) {
+      continue;
+    }
     else if(rr.dr.d_type == QType::NS || rr.auth) {
       nrc.set(rr.dr.d_type);
     }
@@ -691,6 +694,9 @@ void PacketHandler::emitNSEC3(std::unique_ptr<DNSPacket>& r, const NSEC3PARAMRec
         n3rc.set(QType::A);
         n3rc.set(QType::AAAA);
       }
+      else if((rr.dr.d_type == QType::DNSKEY || rr.dr.d_type == QType::CDS || rr.dr.d_type == QType::CDNSKEY) && !d_dk.isPresigned(d_sd.qname) && !::arg().mustDo("direct-dnskey")) {
+        continue;
+      }
       else if(rr.dr.d_type && (rr.dr.d_type == QType::NS || rr.auth)) {
           // skip empty non-terminals
           n3rc.set(rr.dr.d_type);
-- 
2.47.2