validate: fix when NS is both parent and child and child is insecure

When NS is both parent and child, it would respond to the final query
without signature and resolver is supposed to ask for DS to prove the
transition to insecure. Previously, this was only checked for NS queries
(made during referral chasing), so it would work for intermediate
nameservers, but not for final.

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 1d205aa6fe29f58dd5ea3735936d71fbac99571b..51bb4add9967ef85d9994cc33dd90a729012d04a 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -710,7 +710,7 @@ static int check_signer(kr_layer_t *ctx, knot_pkt_t *pkt)
                         * to prove transition to INSECURE. */
                        const uint16_t qtype = knot_pkt_qtype(pkt);
                        const knot_dname_t *qname = knot_pkt_qname(pkt);
-                       if (qtype == KNOT_RRTYPE_NS &&
+                       if (qtype != KNOT_RRTYPE_DS &&
                            knot_dname_in_bailiwick(qname, qry->zone_cut.name) > 0) {
                                /* Server is authoritative
                                 * for both parent and child,