From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 28 Jul 2016 13:17:39 +0000 (+0200)
Subject: don't send covering nsec records for direct nsec queries
X-Git-Tag: auth-4.0.1~8^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7cd992965a60d83eedac56c89fba7a1d5b69c993;p=thirdparty%2Fpdns.git

don't send covering nsec records for direct nsec queries
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 90a66d2790..843d275167 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -700,7 +700,8 @@ void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const DNSName& target, c
 
   DNSName before,after;
   sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after);
-  emitNSEC(r, sd, before, after, mode);
+  if (mode != 5 || before == target)
+    emitNSEC(r, sd, before, after, mode);
 
   if (mode == 2 || mode == 4) {
     // wildcard NO-DATA or wildcard denial
@@ -1330,7 +1331,8 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     // this TRUMPS a cname!
     if(p->qtype.getCode() == QType::NSEC && d_dk.isSecuredZone(sd.qname) && !d_dk.getNSEC3PARAM(sd.qname, 0)) {
       addNSEC(p, r, target, DNSName(), sd.qname, 5);
-      goto sendit;
+      if (!r->isEmpty())
+        goto sendit;
     }
 
     // this TRUMPS a cname!