lib/resolve: cached names below cut are treated insecure

author Marek Vavruša <marek.vavrusa@nic.cz>

Sun, 4 Oct 2015 19:24:46 +0000 (21:24 +0200)

committer Marek Vavruša <marek.vavrusa@nic.cz>

Sun, 4 Oct 2015 19:24:46 +0000 (21:24 +0200)
author Marek Vavruša <marek.vavrusa@nic.cz>
Sun, 4 Oct 2015 19:24:46 +0000 (21:24 +0200)
committer Marek Vavruša <marek.vavrusa@nic.cz>
Sun, 4 Oct 2015 19:24:46 +0000 (21:24 +0200)
diff --git a/lib/resolve.c b/lib/resolve.c

index 96ec791d1354c3fe176e302fe95fee193c4a82ce..f2f13e5a6bf38fb33b9e2ea914fd6881122f4190 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -270,8 +270,10 @@ static int resolve_query(struct kr_request *request, const knot_pkt_t *packet)
         /* Deferred zone cut lookup for this query. */
         qry->flags |= QUERY_AWAIT_CUT;
         /* Want DNSSEC if it's posible to secure this name (e.g. is covered by any TA) */
+       map_t *negative_anchors = &request->ctx->negative_anchors;
         map_t *trust_anchors = &request->ctx->trust_anchors;
-       if (knot_pkt_has_dnssec(packet) && kr_ta_covers(trust_anchors, qname)) {
+       if (knot_pkt_has_dnssec(packet) &&
+           kr_ta_covers(trust_anchors, qname) && !kr_ta_covers(negative_anchors, qname)) {
                 qry->flags |= QUERY_DNSSEC_WANT;
         }
author	Marek Vavruša <marek.vavrusa@nic.cz>
	Sun, 4 Oct 2015 19:24:46 +0000 (21:24 +0200)
committer	Marek Vavruša <marek.vavrusa@nic.cz>
	Sun, 4 Oct 2015 19:24:46 +0000 (21:24 +0200)