From 5094e6a481adc691a9275c767ad409d2ac994370 Mon Sep 17 00:00:00 2001
From: Shreyas Zare <shreyas@technitium.com>
Date: Sat, 15 Feb 2025 12:38:31 +0530
Subject: [PATCH] AuthZoneManager: Fixed bug in InternalQuery() that caused
 dnssec validation issue for DS record when forwarder zone for the domain
 exists.

---
 DnsServerCore/Dns/ZoneManagers/AuthZoneManager.cs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/DnsServerCore/Dns/ZoneManagers/AuthZoneManager.cs b/DnsServerCore/Dns/ZoneManagers/AuthZoneManager.cs
index 11950e02..c4a1f834 100644
--- a/DnsServerCore/Dns/ZoneManagers/AuthZoneManager.cs
+++ b/DnsServerCore/Dns/ZoneManagers/AuthZoneManager.cs
@@ -1,6 +1,6 @@
 /*
 Technitium DNS Server
-Copyright (C) 2024  Shreyas Zare (shreyas@technitium.com)
+Copyright (C) 2025  Shreyas Zare (shreyas@technitium.com)
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -2644,6 +2644,9 @@ namespace DnsServerCore.Dns.ZoneManagers
                             return null; //no authoritative parent side delegation zone available to answer for DS
 
                         zone = delegation; //switch zone to parent side sub domain delegation zone for DS record
+
+                        if (request.DnssecOk && (delegation.AuthoritativeZone is ApexZone delegationApex))
+                            dnssecOk = delegationApex.DnssecStatus != AuthZoneDnssecStatus.Unsigned;
                     }
                 }
                 else if ((delegation is not null) && delegation.IsActive && (delegation.Name.Length > apexZone.Name.Length))