From: Kees Monshouwer <mind04@monshouwer.org>
Date: Sat, 3 Jun 2017 14:25:02 +0000 (+0200)
Subject: auth: ignore NSEC3PARAM in an unsigned zone
X-Git-Tag: auth-4.0.4-rc1^2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9132fb4d38053f00970e1b146702c251f0314570;p=thirdparty%2Fpdns.git

auth: ignore NSEC3PARAM in an unsigned zone
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 4bff18f2cb..9d29a29cdc 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1308,7 +1308,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
         if(addCDS(p,r, sd))
           goto sendit;
       }
-      else if(p->qtype.getCode() == QType::NSEC3PARAM)
+      else if(p->qtype.getCode() == QType::NSEC3PARAM && d_dk.isSecuredZone(sd.qname))
       {
         if(addNSEC3PARAM(p,r, sd))
           goto sendit;
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index c4c047147d..837aa86cd7 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -597,7 +597,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
   NSEC3PARAMRecordContent ns3pr;
   bool narrow;
   bool NSEC3Zone=false;
-  if(dk.getNSEC3PARAM(target, &ns3pr, &narrow)) {
+  if(securedZone && dk.getNSEC3PARAM(target, &ns3pr, &narrow)) {
     NSEC3Zone=true;
     if(narrow) {
       L<<Logger::Error<<"Not doing AXFR of an NSEC3 narrow zone '"<<target<<"' for "<<q->getRemote()<<endl;