From 84f5424c36ea36efc8f7c9adbe5f92b133f7ffe1 Mon Sep 17 00:00:00 2001
From: Miod Vallat <miod.vallat@powerdns.com>
Date: Fri, 18 Apr 2025 13:00:21 +0200
Subject: [PATCH] Do not add NSEC* hashes if the backend isn't able to do so.

---
 pdns/packethandler.cc | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 47131e91eb..9a7d64131b 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -880,11 +880,21 @@ void PacketHandler::addNSEC3(DNSPacket& p, std::unique_ptr<DNSPacket>& r, const
 
   if (d_sd.db == nullptr) {
     if(!B.getSOAUncached(d_sd.qname, d_sd)) {
-      DLOG(g_log<<"Could not get SOA for domain");
+      DLOG(g_log<<"Could not get SOA for domain"<<endl);
       return;
     }
   }
 
+  if (!d_sd.db->doesDNSSEC()) {
+    // We are in a configuration where the zone is primarily served by a
+    // non-DNSSEC-capable backend, but DNSSEC keys have been added to the
+    // zone in a second, DNSSEC-capable backend, which caused d_dnssec to
+    // be set to true. While it would be nice to support such a zone
+    // configuration, we don't. Log a warning and skip DNSSEC processing.
+    g_log << Logger::Notice << "Backend for zone '" << d_sd.qname << "' does not support DNSSEC operation, not adding NSEC3 hashes" << endl;
+    return;
+  }
+
   bool doNextcloser = false;
   string before, after, hashed;
   DNSName unhashed, closest;
@@ -970,6 +980,16 @@ void PacketHandler::addNSEC(DNSPacket& /* p */, std::unique_ptr<DNSPacket>& r, c
     }
   }
 
+  if (!d_sd.db->doesDNSSEC()) {
+    // We are in a configuration where the zone is primarily served by a
+    // non-DNSSEC-capable backend, but DNSSEC keys have been added to the
+    // zone in a second, DNSSEC-capable backend, which caused d_dnssec to
+    // be set to true. While it would be nice to support such a zone
+    // configuration, we don't. Log a warning and skip DNSSEC processing.
+    g_log << Logger::Notice << "Backend for zone '" << d_sd.qname << "' does not support DNSSEC operation, not adding NSEC hashes" << endl;
+    return;
+  }
+
   DNSName before,after;
   d_sd.db->getBeforeAndAfterNames(d_sd.domain_id, d_sd.qname, target, before, after);
   if (mode != 5 || before == target)
-- 
2.47.2