From 34013144590b3837efab3a5992a28649b6c78601 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Mon, 25 Mar 2024 14:49:36 +0100
Subject: [PATCH] lib/rules: avoid RPZ overriding the root SOA

---
 NEWS                 | 1 +
 lib/rules/zonefile.c | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/NEWS b/NEWS
index 27c209a22..c5cf81b4d 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,7 @@ Bugfixes
 - fix kresctl http request timeout (!1505)
 - fix RPZ if it contains apex NS record (!1516)
 - fix RPZ if SOA is repated, as usual in AXFR output (!1521)
+- avoid RPZ overriding the root SOA (!1521)
 - fix on 32-bit systems with 64-bit time_t (!1510)
 - fix paths to knot-dns libs if exec_prefix != prefix (!1503)
 
diff --git a/lib/rules/zonefile.c b/lib/rules/zonefile.c
index 6c260d771..cfd2bc276 100644
--- a/lib/rules/zonefile.c
+++ b/lib/rules/zonefile.c
@@ -144,6 +144,8 @@ static bool owner_relativize(zs_scanner_t *s)
 			apex = d->origin_soa = knot_dname_copy(s->r_owner, d->pool);
 	}
 	d->seen_record = true;
+	if (s->r_type == KNOT_RRTYPE_SOA)
+		return false; // otherwise we'd insert `. SOA` record
 
 	const int labels = knot_dname_in_bailiwick(s->r_owner, apex);
 	if (labels < 0) {
-- 
2.47.2