From e783871943f842fdcf573c17ee7ea87bcfe597a9 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Fri, 26 Apr 2019 12:08:58 +0200
Subject: [PATCH] auth: add comments to explain the DS referall logic

---
 pdns/packethandler.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 40ae41871d..8bc108a06a 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1455,6 +1455,9 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
       bool doReferral = true;
       if(d_dk.doesDNSSEC()) {
         for(auto& loopRR: rrset) {
+          // In a dnssec capable backend auth=true means, there is no delagation at
+          // or above this qname in this zone (for DS queries). Without a delegation,
+          // at or above this level, it is pointless to search for refferals.
           if(loopRR.auth) {
             doReferral = false;
             break;
@@ -1462,6 +1465,8 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
         }
       } else {
         for(auto& loopRR: rrset) {
+          // In a non dnssec capable backend auth is always true, so our only option
+          // is, always look for referals. Unless there is a direct match for DS.
           if(loopRR.dr.d_type == QType::DS) {
             doReferral = false;
             break;
-- 
2.47.2