From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 28 Apr 2017 16:48:21 +0000 (+0200)
Subject: rec: Skip DNSSEC validation for cache hits from authoritative zones
X-Git-Tag: rec-4.1.0-alpha1~137^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=129bb0c322b6a20860c14f0b1bcfcad2bd586389;p=thirdparty%2Fpdns.git

rec: Skip DNSSEC validation for cache hits from authoritative zones
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 75a9430fc7..14a560c447 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -828,7 +828,16 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSR
   //  cout<<"Lookup for '"<<qname<<"|"<<qtype.getName()<<"' -> "<<getLastLabel(qname)<<endl;
 
   DNSName authname(qname);
-  bool wasForwardedOrAuth = (getBestAuthZone(&authname) != t_sstorage->domainmap->end());
+  bool wasForwardedOrAuth = false;
+  bool wasAuth = false;
+  domainmap_t::const_iterator iter=getBestAuthZone(&authname);
+  if(iter != t_sstorage->domainmap->end()) {
+    wasForwardedOrAuth = true;
+    const vector<ComboAddress>& servers = iter->second.d_servers;
+    if(servers.empty()) {
+      wasAuth = true;
+    }
+  }
   NegCache::NegCacheEntry ne;
 
   if(s_rootNXTrust &&
@@ -903,6 +912,7 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSR
     if(found && !expired) {
       if(!giveNegative)
         res=0;
+      d_wasOutOfBand = wasAuth;
       return true;
     }
     else