@@ -155,6 +155,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
155155 bool gotOptOutFlag = false ;
156156 unsigned int soa_serial = 0 ;
157157 vector<DNSResourceRecord> rrs;
158+ set<string> secured;
158159 while (retriever.getChunk (recs)) {
159160 if (first) {
160161 L<<Logger::Error<<" AXFR started for '" " '"
@@ -177,7 +178,10 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
177178 continue ;
178179 } else if (i->qtype .getCode () == QType::NSEC3) {
179180 dnssecZone = gotPresigned = true ;
180- gotOptOutFlag = NSEC3RecordContent(i->content ).d_flags & 1 ;
181+ NSEC3RecordContent ns3rc (i->content );
182+ gotOptOutFlag = ns3rc.d_flags & 1 ;
183+ if (ns3rc.d_set .count (QType::NS) && !pdns_iequals (i->qname , domain))
184+ secured.insert (toLower (makeRelative (i->qname , domain)));
181185 continue ;
182186 } else if (i->qtype .getCode () == QType::NSEC) {
183187 dnssecZone = gotPresigned = true ;
@@ -210,6 +214,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
210214 }
211215 }
212216
217+
213218 BOOST_FOREACH (const DNSResourceRecord& rr, rrs) {
214219 if (rr.qtype .getCode () == QType::NS && !pdns_iequals (rr.qname , domain))
215220 nsset.insert (rr.qname );
@@ -276,8 +281,8 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
276281 if (dnssecZone && rr.qtype .getCode () != QType::RRSIG) {
277282 if (haveNSEC3) {
278283 // NSEC3
279- if (!narrow && (rr. auth || ( rr.qtype . getCode () == QType::NS && !gotOptOutFlag))) {
280- ordername= toLower ( toBase32Hex ( hashQNameWithSalt (ns3pr. d_iterations , ns3pr. d_salt , rr.qname )));
284+ ordername= toLower ( toBase32Hex ( hashQNameWithSalt (ns3pr. d_iterations , ns3pr. d_salt , rr.qname )));
285+ if (!narrow && (rr. auth || ( rr.qtype . getCode () == QType::NS && (!gotOptOutFlag || secured. count (ordername))))) {
281286 di.backend ->feedRecord (rr, &ordername);
282287 } else
283288 di.backend ->feedRecord (rr);
0 commit comments