Merge pull request #9528 from omoerbeek/backport-9471-to-rec-4.4.x

rec: Backport 9471 to rec-4.4.x: Log when going Bogus because of a missing SOA in authority
PowerDNS · Sep 25, 2020 · 735c219 · 735c219
2 parents f64d65c + 874ad29
commit 735c219
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
@@ -3727,6 +3727,7 @@ bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qn
     LOG(prefix<<qname<<": status=NXDOMAIN, we are done "<<(negindic ? "(have negative SOA)" : "")<<endl);
 
     if (state == vState::Secure && (lwr.d_aabit || sendRDQuery) && !negindic) {
+      LOG(prefix<<qname<<": NXDOMAIN without a negative indication (missing SOA in authority) in a DNSSEC secure zone, going Bogus"<<endl);
       updateValidationState(state, vState::Bogus);
     }
 
@@ -3741,6 +3742,7 @@ bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qn
     LOG(prefix<<qname<<": status=noerror, other types may exist, but we are done "<<(negindic ? "(have negative SOA) " : "")<<(lwr.d_aabit ? "(have aa bit) " : "")<<endl);
 
     if(state == vState::Secure && (lwr.d_aabit || sendRDQuery) && !negindic) {
+      LOG(prefix<<qname<<": NODATA without a negative indication (missing SOA in authority) in a DNSSEC secure zone, going Bogus"<<endl);
       updateValidationState(state, vState::Bogus);
     }