From 2e9c87107098b007aaaf453338a02413f8f37a04 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Fri, 28 Feb 2014 09:58:33 +0100
Subject: [PATCH] limit mode 0 closest provable encloser to optout

---
 pdns/packethandler.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index e970a649c8..68a299541f 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -618,7 +618,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
 
     getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after, mode);
 
-    if ((mode == 0 ||  mode == 1) && (hashed != before)) {
+    if (((mode == 0 && ns3rc.d_flags) ||  mode == 1) && (hashed != before)) {
       DLOG(L<<"No matching NSEC3, do closest (provable) encloser"<<endl);
 
       bool doBreak = false;
-- 
2.47.2