From: Kees Monshouwer <mind04@monshouwer.org>
Date: Tue, 29 Mar 2016 07:39:49 +0000 (+0200)
Subject: don't add nsec3 records for insecure delegations in optout zones
X-Git-Tag: dnsdist-1.0.0-beta1~28^2^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=15101695192490079e35c0a1e9513b93ed355ebe;p=thirdparty%2Fpdns.git

don't add nsec3 records for insecure delegations in optout zones
---

diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index 1b25b8a7c0..926f4b477e 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -267,7 +267,7 @@ bool rectifyZone(DNSSECKeeper& dk, const DNSName& zone)
         sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, true, QType::DS);
       if (!auth || nsset.count(qname)) {
         ordername.clear();
-        if(isOptOut)
+        if(isOptOut && !dsnames.count(qname))
           sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, false, QType::NS);
         sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, false, QType::A);
         sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, false, QType::AAAA);