From: Peter van Dijk <peter.van.dijk@netherlabs.nl>
Date: Tue, 14 May 2013 06:51:07 +0000 (+0200)
Subject: Merge branch 'nodnssecany' of github.com:mind04/pdns into mind04-nodnssecany
X-Git-Tag: auth-3.3-rc1~56
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cc6bf4c8370253a7006f52f74b8b2d7a9bcb147b;p=thirdparty%2Fpdns.git

Merge branch 'nodnssecany' of github.com:mind04/pdns into mind04-nodnssecany
---

cc6bf4c8370253a7006f52f74b8b2d7a9bcb147b
diff --cc pdns/packethandler.cc
index 9a28cf660f,79eb8128fb..b095254844
mode 100755,100644..100755
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@@ -1266,9 -1261,15 +1265,13 @@@ DNSPacket *PacketHandler::questionOrRec
      weDone = weRedirected = weHaveUnauth = 0;
      
      while(B.get(rr)) {
-       if (p->qtype.getCode() == QType::ANY && rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
-         continue; //TODO: this actually means addRRSig should check if the RRSig is already there.
+       if (p->qtype.getCode() == QType::ANY) {
+         if (rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
+           continue; // TODO: this actually means addRRSig should check if the RRSig is already there.
+         if (!p->d_dnssecOk && (rr.qtype.getCode() == QType:: DNSKEY || rr.qtype.getCode() == QType::NSEC3PARAM))
+           continue; // Don't send dnssec info to non validating resolvers.
+       }
  
 -      if(rr.qtype.getCode() == QType::DS)
 -        rr.auth = 1;
        // cerr<<"Auth: "<<rr.auth<<", "<<(rr.qtype == p->qtype)<<", "<<rr.qtype.getName()<<endl;
        if((p->qtype.getCode() == QType::ANY || rr.qtype == p->qtype) && rr.auth) 
          weDone=1;