]> git.ipfire.org Git - thirdparty/knot-resolver.git/commitdiff
lib/resolve: cached names below cut are treated insecure
authorMarek Vavruša <marek.vavrusa@nic.cz>
Sun, 4 Oct 2015 19:24:46 +0000 (21:24 +0200)
committerMarek Vavruša <marek.vavrusa@nic.cz>
Sun, 4 Oct 2015 19:24:46 +0000 (21:24 +0200)
lib/resolve.c

index 96ec791d1354c3fe176e302fe95fee193c4a82ce..f2f13e5a6bf38fb33b9e2ea914fd6881122f4190 100644 (file)
@@ -270,8 +270,10 @@ static int resolve_query(struct kr_request *request, const knot_pkt_t *packet)
        /* Deferred zone cut lookup for this query. */
        qry->flags |= QUERY_AWAIT_CUT;
        /* Want DNSSEC if it's posible to secure this name (e.g. is covered by any TA) */
+       map_t *negative_anchors = &request->ctx->negative_anchors;
        map_t *trust_anchors = &request->ctx->trust_anchors;
-       if (knot_pkt_has_dnssec(packet) && kr_ta_covers(trust_anchors, qname)) {
+       if (knot_pkt_has_dnssec(packet) &&
+           kr_ta_covers(trust_anchors, qname) && !kr_ta_covers(negative_anchors, qname)) {
                qry->flags |= QUERY_DNSSEC_WANT;
        }