From 2befa249801c21fec6c14ffa0037383696f757b7 Mon Sep 17 00:00:00 2001
From: Grigorii Demidov <grigorii.demidov@nic.cz>
Date: Fri, 24 Mar 2017 12:51:36 +0100
Subject: [PATCH] lib/resolve: avoid unnecessary DS queries

---
 lib/resolve.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/resolve.c b/lib/resolve.c
index c6496f763..0352179d9 100644
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -842,6 +842,14 @@ static int trust_chain_check(struct kr_request *request, struct kr_query *qry)
 	if (kr_ta_get(negative_anchors, qry->zone_cut.name)){
 		VERBOSE_MSG(qry, ">< negative TA, going insecure\n");
 		qry->flags &= ~QUERY_DNSSEC_WANT;
+		qry->flags |= QUERY_DNSSEC_INSECURE;
+	}
+	if (qry->flags & QUERY_DNSSEC_NODS) {
+		/* This is the next query iteration with minimized qname.
+		 * At previous iteration DS non-existance has been proven */
+		qry->flags &= ~QUERY_DNSSEC_NODS;
+		qry->flags &= ~QUERY_DNSSEC_WANT;
+		qry->flags |= QUERY_DNSSEC_INSECURE;
 	}
 	/* Enable DNSSEC if enters a new island of trust. */
 	bool want_secured = (qry->flags & QUERY_DNSSEC_WANT) &&
-- 
2.47.2