From 3048b2a5784e624fe021712b5dabf1d731f47c13 Mon Sep 17 00:00:00 2001 From: Colin Vidal Date: Tue, 2 Dec 2025 16:53:40 +0100 Subject: [PATCH] add RRSIG if required as soon as they are found When EDNS DO flag (`dig +dnssec`) flag is set, an rdataset is allocated to hold the RRSIG of an RR, if present in DB. However, this allocation is not done if the zone DB is not considered as secure (`dns_db_issecure() == false`). Changes this behaviour by allocating the rdataset anyway, so the RRSIG can be associated in the answer section of the response as soon it is found from the DB. --- lib/ns/query.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/ns/query.c b/lib/ns/query.c index f0a5a50251..22a3a9caa5 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -5843,9 +5843,7 @@ qctx_prepare_buffers(query_ctx_t *qctx, isc_buffer_t *buffer) { qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, buffer); qctx->rdataset = ns_client_newrdataset(qctx->client); - if ((WANTDNSSEC(qctx->client) || qctx->findcoveringnsec) && - (!qctx->is_zone || dns_db_issecure(qctx->db))) - { + if (WANTDNSSEC(qctx->client) || qctx->findcoveringnsec) { qctx->sigrdataset = ns_client_newrdataset(qctx->client); }