From a6b42f7814709da89af7fc1d7f1265a68f3cc08a Mon Sep 17 00:00:00 2001
From: =?utf8?q?Marek=20Vavru=C5=A1a?= <marek.vavrusa@nic.cz>
Date: Fri, 29 May 2015 23:55:33 +0200
Subject: [PATCH] layer/iterate: do not presume AA=1 is really authoritative

---
 lib/layer/iterate.c              |  6 +++
 tests/testdata/iter_ns_badaa.rpl | 78 ++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 tests/testdata/iter_ns_badaa.rpl

diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index da49252d1..10b323c62 100644
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -224,10 +224,12 @@ static int process_authority(knot_pkt_t *pkt, struct kr_request *req)
 	int result = KNOT_STATE_CONSUME;
 	const knot_pktsection_t *ns = knot_pkt_section(pkt, KNOT_AUTHORITY);
 
+#ifdef STRICT_MODE
 	/* AA, terminate resolution chain. */
 	if (knot_wire_get_aa(pkt->wire)) {
 		return KNOT_STATE_CONSUME;
 	}
+#endif
 
 	/* Update zone cut information. */
 	for (unsigned i = 0; i < ns->count; ++i) {
@@ -367,6 +369,7 @@ static int prepare_query(knot_layer_t *ctx, knot_pkt_t *pkt)
 
 static int resolve_badmsg(knot_pkt_t *pkt, struct kr_request *req, struct kr_query *query)
 {
+#ifndef STRICT_MODE
 	/* Work around broken auths/load balancers */
 	if (query->flags & QUERY_SAFEMODE) {
 		return resolve_error(pkt, req);
@@ -374,6 +377,9 @@ static int resolve_badmsg(knot_pkt_t *pkt, struct kr_request *req, struct kr_que
 		query->flags |= QUERY_SAFEMODE;
 		return KNOT_STATE_DONE;
 	}
+#else
+		return resolve_error(pkt, req);
+#endif
 }
 
 /** Resolve input query or continue resolution with followups.
diff --git a/tests/testdata/iter_ns_badaa.rpl b/tests/testdata/iter_ns_badaa.rpl
new file mode 100644
index 000000000..5407a0745
--- /dev/null
+++ b/tests/testdata/iter_ns_badaa.rpl
@@ -0,0 +1,78 @@
+; config options
+server:
+	target-fetch-policy: "3 2 1 0 0"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test iterator with NS falsely declaring referral answer as authoritative.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+; False declaration here
+REPLY QR AA NOERROR
+SECTION QUESTION
+MORECOWBELL. IN A
+SECTION AUTHORITY
+MORECOWBELL.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+CATALYST.MORECOWBELL. IN A
+SECTION ANSWER
+CATALYST.MORECOWBELL. IN A	10.20.30.40
+SECTION AUTHORITY
+CATALYST.MORECOWBELL.	IN NS	a.gtld-servers.net.
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+catalyst.morecowbell. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+catalyst.morecowbell. IN A
+SECTION ANSWER
+catalyst.morecowbell. IN A 10.20.30.40
+ENTRY_END
+
+SCENARIO_END
-- 
2.47.3