rec: Skip DNSSEC validation for cache hits from authoritative zones

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 75a9430fc7f9467a3d36702190cf989ccdbf8933..14a560c447d9c3d2c798c70a7cd739b499d53d90 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -828,7 +828,16 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSR
   //  cout<<"Lookup for '"<<qname<<"|"<<qtype.getName()<<"' -> "<<getLastLabel(qname)<<endl;
 
   DNSName authname(qname);
-  bool wasForwardedOrAuth = (getBestAuthZone(&authname) != t_sstorage->domainmap->end());
+  bool wasForwardedOrAuth = false;
+  bool wasAuth = false;
+  domainmap_t::const_iterator iter=getBestAuthZone(&authname);
+  if(iter != t_sstorage->domainmap->end()) {
+    wasForwardedOrAuth = true;
+    const vector<ComboAddress>& servers = iter->second.d_servers;
+    if(servers.empty()) {
+      wasAuth = true;
+    }
+  }
   NegCache::NegCacheEntry ne;
 
   if(s_rootNXTrust &&
@@ -903,6 +912,7 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSR
     if(found && !expired) {
       if(!giveNegative)
         res=0;
+      d_wasOutOfBand = wasAuth;
       return true;
     }
     else