From e6979353b236d161ce1c3096836a95df46bd7d68 Mon Sep 17 00:00:00 2001
From: Ingmar Stein <IngmarStein@users.noreply.github.com>
Date: Tue, 12 Nov 2024 23:45:23 +0100
Subject: [PATCH] Filter AAAA: allow modification of unsigned responses for
 DNSSEC-aware clients

Fixes #1105
---
 Apps/FilterAaaaApp/App.cs | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/Apps/FilterAaaaApp/App.cs b/Apps/FilterAaaaApp/App.cs
index bb0562e4..aaacc816 100644
--- a/Apps/FilterAaaaApp/App.cs
+++ b/Apps/FilterAaaaApp/App.cs
@@ -116,7 +116,16 @@ namespace FilterAaaa
                 return response;
 
             if (request.DnssecOk)
-                return response;
+            {
+                foreach (DnsResourceRecord record in response.Answer)
+                {
+                    if (record.Type == DnsResourceRecordType.RRSIG)
+                    {
+                        //response is signed and the client is DNSSEC aware; must not be modified
+                        return response;
+                    }
+                }
+            }
 
             if (response.RCODE != DnsResponseCode.NoError)
                 return response;