From c3e96dca178cf355324ab34a08b3578e4fc44a31 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Sun, 1 Aug 2021 23:58:42 +0200
Subject: [PATCH] rec: Detect a loop when the denial of the DS comes from the
 child zone

---
 pdns/syncres.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 86ee77ae5b..d0b0d7d558 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2840,6 +2840,13 @@ vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname
         state = vState::BogusSelfSignedDS;
         dsFailed = true;
       }
+      else if (qtype == QType::DS && signer == qname && !signer.isRoot() && (type == QType::SOA || type == QType::NSEC || type == QType::NSEC3)) {
+        /* if we are trying to validate the DS or more likely NSEC(3)s proving that it does not exist, we have a problem.
+           In that case let's go Bogus (we will check later if we missed a cut)
+        */
+        state = vState::BogusSelfSignedDS;
+        dsFailed = true;
+      }
       else if (qtype == QType::DNSKEY && signer == qname) {
         /* that actually does happen when a server returns NS records in authority
            along with the DNSKEY, leading us to trying to validate the RRSIGs for
-- 
2.47.2