From: Marek Vavruša <mvavrusa@cloudflare.com>
Date: Mon, 18 Jun 2018 23:17:53 +0000 (-0700)
Subject: validate: fix when NS is both parent and child and child is insecure
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e0b86ecb56af3698246ab63e054c498754ee2e36;p=thirdparty%2Fknot-resolver.git

validate: fix when NS is both parent and child and child is insecure

When NS is both parent and child, it would respond to the final query
without signature and resolver is supposed to ask for DS to prove the
transition to insecure. Previously, this was only checked for NS queries
(made during referral chasing), so it would work for intermediate
nameservers, but not for final.
---

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 1d205aa6f..51bb4add9 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -710,7 +710,7 @@ static int check_signer(kr_layer_t *ctx, knot_pkt_t *pkt)
 			 * to prove transition to INSECURE. */
 			const uint16_t qtype = knot_pkt_qtype(pkt);
 			const knot_dname_t *qname = knot_pkt_qname(pkt);
-			if (qtype == KNOT_RRTYPE_NS &&
+			if (qtype != KNOT_RRTYPE_DS &&
 			    knot_dname_in_bailiwick(qname, qry->zone_cut.name) > 0) {
 				/* Server is authoritative
 				 * for both parent and child,