From 0735b60f6e29f54fd43397526c69881d16283b86 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 3 Jul 2017 11:16:51 +0200
Subject: [PATCH] rec: Handle Secure to Insecure cut on the same auth servers

Meaning the NS answer for the Insecure zone won't be signed and
won't have a DS denial. We will pick that up with the following
DS query, but we need to make sure the NS answer isn't considered
Bogus even though it's not signed.
---
 pdns/syncres.cc | 19 ++++++++++++++++++-
 pdns/syncres.hh |  1 +
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 8fa0f95769..10ebd47409 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1389,6 +1389,18 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsi
   return Bogus;
 }
 
+bool SyncRes::haveExactValidationStatus(const DNSName& domain)
+{
+  if (!validationEnabled()) {
+    return false;
+  }
+  const auto& it = d_cutStates.find(domain);
+  if (it != d_cutStates.cend()) {
+    return true;
+  }
+  return false;
+}
+
 vState SyncRes::getValidationStatus(const DNSName& subdomain)
 {
   vState result = Indeterminate;
@@ -1773,7 +1785,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
       continue;
 
     vState recordState = getValidationStatus(auth);
-    LOG(d_prefix<<": got status "<<vStates[recordState]<<" for record "<<i->first.name<<endl);
+    LOG(d_prefix<<": got initial zone status "<<vStates[recordState]<<" for record "<<i->first.name<<endl);
 
     if (validationEnabled() && recordState == Secure) {
       if (lwr.d_aabit) {
@@ -1789,6 +1801,10 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
           else {
             LOG(d_prefix<<"Validating non-additional record for "<<i->first.name<<endl);
             recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, i->second.records, i->second.signatures);
+            /* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */
+            if (qtype == QType::NS && i->second.signatures.empty() && recordState == Bogus && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == Indeterminate) {
+              recordState = Indeterminate;
+            }
           }
         }
       }
@@ -1799,6 +1815,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
           recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, i->second.records, i->second.signatures);
         }
       }
+
       updateValidationState(state, recordState);
     }
     else {
diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index e6a4e8d149..cfe4ccf574 100644
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -750,6 +750,7 @@ private:
   vState getDNSKeys(const DNSName& signer, skeyset_t& keys, unsigned int depth);
   void getDenialValidationState(NegCache::NegCacheEntry& ne, vState& state, const dState expectedState, bool allowOptOut);
   vState getTA(const DNSName& zone, dsmap_t& ds);
+  bool haveExactValidationStatus(const DNSName& domain);
   vState getValidationStatus(const DNSName& subdomain);
 
   void computeZoneCuts(const DNSName& begin, const DNSName& end, unsigned int depth);
-- 
2.47.2