From 129bb0c322b6a20860c14f0b1bcfcad2bd586389 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 28 Apr 2017 18:48:21 +0200
Subject: [PATCH] rec: Skip DNSSEC validation for cache hits from authoritative
 zones

---
 pdns/syncres.cc | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 75a9430fc7..14a560c447 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -828,7 +828,16 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSR
   //  cout<<"Lookup for '"<<qname<<"|"<<qtype.getName()<<"' -> "<<getLastLabel(qname)<<endl;
 
   DNSName authname(qname);
-  bool wasForwardedOrAuth = (getBestAuthZone(&authname) != t_sstorage->domainmap->end());
+  bool wasForwardedOrAuth = false;
+  bool wasAuth = false;
+  domainmap_t::const_iterator iter=getBestAuthZone(&authname);
+  if(iter != t_sstorage->domainmap->end()) {
+    wasForwardedOrAuth = true;
+    const vector<ComboAddress>& servers = iter->second.d_servers;
+    if(servers.empty()) {
+      wasAuth = true;
+    }
+  }
   NegCache::NegCacheEntry ne;
 
   if(s_rootNXTrust &&
@@ -903,6 +912,7 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSR
     if(found && !expired) {
       if(!giveNegative)
         res=0;
+      d_wasOutOfBand = wasAuth;
       return true;
     }
     else
-- 
2.47.2