rec: Log when going Bogus because of a missing SOA in authority

A missing SOA in the authority section of negative (NXDOMAIN, NODATA)
answers in a DNSSEC-secure zone currently leads to a Bogus result,
because the needed NSEC/NSEC3 could not be validated.

(cherry picked from commit 832f4fbdd7ef50d0e0ff5135ee6e270acc22df9d)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 33f8f1d9868af555afe78c73fba74b1c51c8a616..aaa4bd9ad3c8bbd46d38d8ea37284442fa9cac1c 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -3727,6 +3727,7 @@ bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qn
     LOG(prefix<<qname<<": status=NXDOMAIN, we are done "<<(negindic ? "(have negative SOA)" : "")<<endl);
 
     if (state == vState::Secure && (lwr.d_aabit || sendRDQuery) && !negindic) {
+      LOG(prefix<<qname<<": NXDOMAIN without a negative indication (missing SOA in authority) in a DNSSEC secure zone, going Bogus"<<endl);
       updateValidationState(state, vState::Bogus);
     }
 
@@ -3741,6 +3742,7 @@ bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qn
     LOG(prefix<<qname<<": status=noerror, other types may exist, but we are done "<<(negindic ? "(have negative SOA) " : "")<<(lwr.d_aabit ? "(have aa bit) " : "")<<endl);
 
     if(state == vState::Secure && (lwr.d_aabit || sendRDQuery) && !negindic) {
+      LOG(prefix<<qname<<": NODATA without a negative indication (missing SOA in authority) in a DNSSEC secure zone, going Bogus"<<endl);
       updateValidationState(state, vState::Bogus);
     }