From da3732b5c0a733e87a17c791abaa9558153b3e8a Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Fri, 15 Apr 2016 11:55:40 +0200
Subject: [PATCH] Always validate on 'validate' and 'log-fail'

Closes #3709

Also add a comment in the code regarding another DNSSEC ticket
---
 pdns/pdns_recursor.cc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 86fc88598d..3cee6bde20 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -925,7 +925,9 @@ void startDoResolve(void *p)
     else {
       pw.getHeader()->rcode=res;
 
-      if(haveEDNS) {
+      // FIXME: haveEDNS is not the way to handle initiation of validation, we
+      // should look for the AD bit in the header, see #3682
+      if(haveEDNS || g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog) {
 	if(g_dnssecmode != DNSSECMode::Off && ((edo.d_Z & EDNSOpts::DNSSECOK) || g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog)) {
           if(sr.doLog()) {
             L<<Logger::Warning<<"Starting validation of answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<endl;
-- 
2.47.2