add RRSIG if required as soon as they are found

When EDNS DO flag (`dig +dnssec`) flag is set, an rdataset is allocated
to hold the RRSIG of an RR, if present in DB. However, this allocation
is not done if the zone DB is not considered as secure
(`dns_db_issecure() == false`). Changes this behaviour by allocating the
rdataset anyway, so the RRSIG can be associated in the answer section of
the response as soon it is found from the DB.

diff --git a/lib/ns/query.c b/lib/ns/query.c
index f0a5a50251d84b58059e8ebdc632d537933f018d..22a3a9caa5e0d40fd16a1a5b1e18c6f8ecb30e24 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5843,9 +5843,7 @@ qctx_prepare_buffers(query_ctx_t *qctx, isc_buffer_t *buffer) {
        qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, buffer);
        qctx->rdataset = ns_client_newrdataset(qctx->client);
 
-       if ((WANTDNSSEC(qctx->client) || qctx->findcoveringnsec) &&
-           (!qctx->is_zone || dns_db_issecure(qctx->db)))
-       {
+       if (WANTDNSSEC(qctx->client) || qctx->findcoveringnsec) {
                qctx->sigrdataset = ns_client_newrdataset(qctx->client);
        }