From 2ef32aec043867ffe2251f0a10f98d6423cc7b3e Mon Sep 17 00:00:00 2001
From: phonedph1 <phoned@gmail.com>
Date: Mon, 10 Sep 2018 17:32:07 +0000
Subject: [PATCH] If we have root-nx-trust on (default) and we have an neg SOA
 for ., and we sent to . make sure we have AA=1 too.

This prevents forward zones from providing bogus data.
---
 pdns/syncres.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index ac94aa7fb4..f5e186e9db 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2264,7 +2264,7 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co
       */
       if(!wasVariable() && newtarget.empty()) {
         t_sstorage.negcache.add(ne);
-        if(s_rootNXTrust && ne.d_auth.isRoot() && auth.isRoot()) {
+        if(s_rootNXTrust && ne.d_auth.isRoot() && auth.isRoot() && lwr.d_aabit) {
           ne.d_name = ne.d_name.getLastLabel();
           t_sstorage.negcache.add(ne);
         }
-- 
2.47.2