From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Tue, 5 Nov 2019 13:03:19 +0000 (+0100)
Subject: Even for HardenNXD::Yes we don't want to believe Bogus NXDOMAINs.
X-Git-Tag: dnsdist-1.4.0~17^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7ce0efaad41be0c698407791f37873552a4f023b;p=thirdparty%2Fpdns.git

Even for HardenNXD::Yes we don't want to believe Bogus NXDOMAINs.
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index e2aa148a48..3ffeae0dba 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1427,7 +1427,7 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool w
           // And get the updated ne struct
           //t_sstorage.negcache.get(negCacheName, QType(0), d_now, &ne, true);
         }
-        if (s_hardenNXD == HardenNXD::Yes || ne->d_validationState == Secure) {
+        if ((s_hardenNXD == HardenNXD::Yes && ne->d_validationState != Bogus) || ne->d_validationState == Secure) {
           res = RCode::NXDomain;
           sttl = ne->d_ttd - d_now.tv_sec;
           giveNegative = true;