From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Fri, 22 Apr 2016 10:14:34 +0000 (+0200)
Subject: Only process CD flags in a dnssec mode
X-Git-Tag: rec-4.0.0-alpha3~26^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9eec8c989f2bf8ba97283a8bbe6690df228624b2;p=thirdparty%2Fpdns.git

Only process CD flags in a dnssec mode
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 33ef3437a8..9d6617190e 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -736,12 +736,17 @@ void startDoResolve(void *p)
       sr.d_requestor=dc->d_remote;
     }
 
-    if(g_dnssecmode != DNSSECMode::Off)
+    if(g_dnssecmode != DNSSECMode::Off) {
       sr.d_doDNSSEC=true;
-    
-    if(pw.getHeader()->cd || (edo.d_Z & EDNSOpts::DNSSECOK)) {
-      DNSSECOK=true;
-      g_stats.dnssecQueries++;
+
+      // Does the requestor want DNSSEC records?
+      if(edo.d_Z & EDNSOpts::DNSSECOK) {
+        DNSSECOK=true;
+        g_stats.dnssecQueries++;
+      }
+    } else {
+      // Ignore the client-set CD flag
+      pw.getHeader()->cd=0;
     }
 
     bool tracedQuery=false; // we could consider letting Lua know about this too