It's possible for minimal-any to accidentally return large responses, if
it happens to choose the DNSKEY or CDNSKEY RRset. In those cases the
RRset should be at the zone apex, so we can skip it and there will be
another RRset to put in the response.

Similarly, minimal-responses are turned on for DNSKEY and DS queries, so
do the same for CDNSKEY and CDS.

---
 bin/named/query.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/bin/named/query.c b/bin/named/query.c
index 9d7eff6..a31bedb 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -6139,6 +6139,16 @@ query_respond_any(query_ctx_t *qctx) {
 			       "minimal-any skip signature");
 			dns_rdataset_disassociate(qctx->rdataset);
 		} else if (qctx->client->view->minimal_any &&
+			   !TCP(qctx->client) &&
+			   qctx->qtype == dns_rdatatype_any &&
+			   (qctx->rdataset->type == dns_rdatatype_dnskey ||
+			    qctx->rdataset->type == dns_rdatatype_cdnskey ||
+			    qctx->rdataset->covers == dns_rdatatype_dnskey ||
+			    qctx->rdataset->covers == dns_rdatatype_cdnskey)) {
+			CCTRACE(ISC_LOG_DEBUG(5), "query_respond_any: "
+			       "minimal-any skip (C)DNSKEY");
+			dns_rdataset_disassociate(qctx->rdataset);
+		} else if (qctx->client->view->minimal_any &&
 			   !TCP(qctx->client) && onetype != 0 &&
 			   qctx->rdataset->type != onetype &&
 			   qctx->rdataset->covers != onetype)
@@ -9513,9 +9523,10 @@ ns_query_start(ns_client_t *client) {
 	}

 	/*
-	 * Turn on minimal response for DNSKEY and DS queries.
+	 * Turn on minimal response for (C)DNSKEY and (C)DS queries.
 	 */
-	if (qtype == dns_rdatatype_dnskey || qtype == dns_rdatatype_ds)
+	if (qtype == dns_rdatatype_dnskey || qtype == dns_rdatatype_ds ||
+	    qtype == dns_rdatatype_cdnskey || qtype == dns_rdatatype_cds)
 		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
 					     NS_QUERYATTR_NOADDITIONAL);

-- 
2.10.1.445.g3cdd5d1