* otherwise referral is bogus (or an attempted downgrade attack).
*/
+
unsigned section = KNOT_ANSWER;
- if (!knot_wire_get_aa(answer->wire)) { /* Referral */
+ const bool referral = !knot_wire_get_aa(answer->wire);
+ if (referral) {
section = KNOT_AUTHORITY;
- } else if (knot_pkt_qtype(answer) == KNOT_RRTYPE_DS &&
- !(qry->flags & QUERY_CNAME)) {
+ } /* else if {
+ Not referral, but RCODE is NXDOMAIN.
+ * Since we are here NXDOMAIN is proved above,
+ * so do nothing and exit.
+ return kr_ok();
+ } */ else if (knot_pkt_qtype(answer) == KNOT_RRTYPE_DS &&
+ !(qry->flags & QUERY_CNAME) &&
+ (knot_wire_get_rcode(answer->wire) != KNOT_RCODE_NXDOMAIN)) {
section = KNOT_ANSWER;
} else { /* N/A */
return kr_ok();
if (!new_ds) {
/* No DS provided, check for proof of non-existence. */
if (!has_nsec3) {
- if (!knot_wire_get_aa(answer->wire)) {
- /* Referral, check if it is referral to unsigned, rfc4035 5.2 */
+ if (referral) {
+ /* Check if it is referral to unsigned, rfc4035 5.2 */
ret = kr_nsec_ref_to_unsigned(answer);
} else {
/* No-data answer */
ret = kr_nsec_existence_denial(answer, KNOT_AUTHORITY, proved_name, KNOT_RRTYPE_DS);
}
} else {
- if (!knot_wire_get_aa(answer->wire)) {
- /* Referral, check if it is referral to unsigned, rfc5155 8.9 */
+ if (referral) {
+ /* Check if it is referral to unsigned, rfc5155 8.9 */
ret = kr_nsec3_ref_to_unsigned(answer);
} else {
/* No-data answer, QTYPE is DS, rfc5155 8.6 */
}
}
- if (!knot_wire_get_aa(answer->wire) &&
- qry->stype != KNOT_RRTYPE_DS &&
+ if (referral && qry->stype != KNOT_RRTYPE_DS &&
ret == DNSSEC_NOT_FOUND) {
/* referral,
* qtype is not KNOT_RRTYPE_DS, NSEC\NSEC3 were not found.
projects / thirdparty / knot-resolver.git / commitdiff
