From 82fb538654fe176a1231bdccea79f74b62f7774a Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 3 Apr 2014 16:13:37 +0200
Subject: [PATCH] AXFR in: don't accept zones with a mixture of Opt-Out NSEC3
 RRs and non-Opt-Out NSEC3 RRs

---
 pdns/slavecommunicator.cc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc
index 9ccbdbc55329..dd36a504fcb6 100644
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -156,6 +156,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
     vector<DNSResourceRecord> rrs;
     set<string> secured;
     bool first=true;
+    bool firstNSEC3=true;
     while(retriever.getChunk(recs)) {
       if(first) {
         L<<Logger::Error<<"AXFR started for '"<<domain<<"'"<<endl;
@@ -177,8 +178,12 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
           dnssecZone = haveNSEC3 = gotPresigned = gotNSEC3 = true;
           continue;
         } else if (i->qtype.getCode() == QType::NSEC3) {
-          dnssecZone = gotPresigned = true;
           NSEC3RecordContent ns3rc(i->content);
+          if (firstNSEC3) {
+            dnssecZone = gotPresigned = true;
+            firstNSEC3 = false;
+          } else if (gotOptOutFlag != (ns3rc.d_flags & 1))
+            throw PDNSException("Zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs are not supported.");
           gotOptOutFlag = ns3rc.d_flags & 1;
           if (ns3rc.d_set.count(QType::NS) && !pdns_iequals(i->qname, domain))
             secured.insert(toLower(makeRelative(i->qname, domain)));