From 5a7d2a189b3d30fadfe333ee58fda8859342aaac Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 1 Jun 2016 23:02:56 +0200
Subject: [PATCH] Recursor: +CD on queries forwarded to a recursor

---
 pdns/lwres.cc | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/pdns/lwres.cc b/pdns/lwres.cc
index 3313d26c92..758296f8d0 100644
--- a/pdns/lwres.cc
+++ b/pdns/lwres.cc
@@ -65,7 +65,18 @@ int asyncresolve(const ComboAddress& ip, const DNSName& domain, int type, bool d
 
   pw.getHeader()->rd=sendRDQuery;
   pw.getHeader()->id=dns_random(0xffff);
-  
+  /* RFC 6840 section 5.9:
+   *  This document further specifies that validating resolvers SHOULD set
+   *  the CD bit on every upstream query.  This is regardless of whether
+   *  the CD bit was set on the incoming query [...]
+   *
+   * sendRDQuery is only true if the qname is part of a forward-zone-recurse (or
+   * set in the forward-zone-file), so we use this as an indicator for it being
+   * an "upstream query". To stay true to "dnssec=off means 3.X behaviour", we
+   * only set +CD on forwarded query in any mode other than dnssec=off.
+   */
+  pw.getHeader()->cd=(sendRDQuery && ::arg()["dnssec"] != "off");
+
   string ping;
   bool weWantEDNSSubnet=false;
   if(EDNS0Level && !doTCP) {
-- 
2.47.2