From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 5 Mar 2021 16:24:04 +0000 (+0100)
Subject: rec: An opt-out NSEC3 is a valid (insecure) proof for an expanded wildcard
X-Git-Tag: rec-4.5.0-beta1~4^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=781ff655a63b70a392c044e6257000050006320a;p=thirdparty%2Fpdns.git

rec: An opt-out NSEC3 is a valid (insecure) proof for an expanded wildcard
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index ef093d0a27..0c55075cd0 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -3509,7 +3509,7 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co
             dState res = getDenial(csp, qname, ne.d_qtype.getCode(), false, false, false, wildcardLabelsCount);
             if (res != dState::NXDOMAIN) {
               vState st = vState::BogusInvalidDenial;
-              if (res == dState::INSECURE) {
+              if (res == dState::INSECURE || res == dState::OPTOUT) {
                 /* Some part could not be validated, for example a NSEC3 record with a too large number of iterations,
                    this is not enough to warrant a Bogus, but go Insecure. */
                 st = vState::Insecure;