From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Tue, 4 Feb 2020 08:15:58 +0000 (+0100)
Subject: IXFR: only sign SOA in empty response for +DO queries
X-Git-Tag: auth-4.3.0-beta2~14^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ada68bd97b0aabfbc446048fdf4921aaaa620153;p=thirdparty%2Fpdns.git

IXFR: only sign SOA in empty response for +DO queries
---

diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 18739a92be..e5ac77c4c8 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -1168,7 +1168,7 @@ int TCPNameserver::doIXFR(std::unique_ptr<DNSPacket>& q, int outsock)
     DLOG(g_log<<"Sending out SOA"<<endl);
     DNSZoneRecord soa = makeEditedDNSZRFromSOAData(dk, sd);
     outpacket->addRecord(soa);
-    if(securedZone) {
+    if(securedZone && outpacket->d_dnssecOk) {
       set<DNSName> authSet;
       authSet.insert(target);
       addRRSigs(dk, signatureDB, authSet, outpacket->getRRS());