From: Kees Monshouwer <mind04@monshouwer.org>
Date: Tue, 30 Jan 2018 23:19:38 +0000 (+0100)
Subject: auth: do not set ordername during rectify of non-dnssec zones
X-Git-Tag: dnsdist-1.3.0~72^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2977b0731c427e34e544ec60b1b9e3d7108bf0c4;p=thirdparty%2Fpdns.git

auth: do not set ordername during rectify of non-dnssec zones
---

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 7303b03838..f985cc3266 100644
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -667,11 +667,13 @@ bool DNSSECKeeper::rectifyZone(const DNSName& zone, string& error, string& info,
   }
 
   NSEC3PARAMRecordContent ns3pr;
-  bool narrow;
-  bool haveNSEC3 = getNSEC3PARAM(zone, &ns3pr, &narrow);
-  bool isOptOut = (haveNSEC3 && ns3pr.d_flags);
+  bool securedZone = isSecuredZone(zone);
+  bool haveNSEC3 = false, isOptOut = false, narrow = false;
+
+  if(securedZone) {
+    haveNSEC3 = getNSEC3PARAM(zone, &ns3pr, &narrow);
+    isOptOut = (haveNSEC3 && ns3pr.d_flags);
 
-  if(isSecuredZone(zone)) {
     if(!haveNSEC3) {
       infostream<<"Adding NSEC ordering information ";
     }
@@ -749,7 +751,7 @@ bool DNSSECKeeper::rectifyZone(const DNSName& zone, string& error, string& info,
       } else if(!realrr)
         auth=false;
     }
-    else if (realrr) // NSEC
+    else if (realrr && securedZone) // NSEC
       ordername=qname.makeRelative(zone);
 
     sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, auth);