From 46df9251dfbd1d45ee26e410011713f2a550c721 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 17 Jun 2019 10:40:57 +0200
Subject: [PATCH] rec: Add comments to clarify the no DS case when detecting
 zone cuts

---
 pdns/syncres.cc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index fa73da9945..968726fbec 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1784,6 +1784,10 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsi
 
     if (rcode == RCode::NoError) {
       if (ds.empty()) {
+        /* we have no DS, it's either:
+           - a delegation to a non-DNSSEC signed zone
+           - no delegation, we stay in the same zone
+        */
         if (gotCNAME || denialProvesNoDelegation(zone, dsrecords)) {
           /* we are still inside the same zone */
 
@@ -1798,6 +1802,10 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsi
           *foundCut = true;
         }
 
+        /* a delegation with no DS is either:
+           - a signed zone (Secure) to an unsigned one (Insecure)
+           - an unsigned zone to another unsigned one (Insecure stays Insecure, Bogus stays Bogus)
+        */
         return state == Secure ? Insecure : state;
       } else {
         /* we have a DS */
-- 
2.47.2