dnssec/nsec3: don't set AD flag in properly signed wildcard nodata answer

diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
index 34ddd74597cf525019463e45a71ec82adb5d98f9..5a201353e71ed2c5cdadc6b777a3931cae6a666f 100644 (file)
--- a/lib/dnssec/nsec3.c
+++ b/lib/dnssec/nsec3.c
@@ -702,6 +702,14 @@ int kr_nsec3_no_data(const knot_pkt_t *pkt, knot_section_t section_id,
                                                 encloser_name, stype);
        if (ret == 0) {
                /* Satisfies RFC5155 8.7 */
+               if (has_optout(covering_next_nsec3)) {
+                       /* Opt-out is detected.
+                        * Despite the fact that all records
+                        * in the packet can be properly signed,
+                        * AD bit must not be set due to rfc5155 9.2.
+                        * Return appropriate code to the caller */
+                       ret = kr_error(DNSSEC_OUT_OF_RANGE);
+               }
                return ret;
        }
 
@@ -719,7 +727,7 @@ int kr_nsec3_no_data(const knot_pkt_t *pkt, knot_section_t section_id,
                 */
                ret = kr_error(DNSSEC_OUT_OF_RANGE);
        }
-       
+
        return ret;
 }
 

diff --git a/tests/deckard b/tests/deckard
index b985a91d0e5f2f30d430d3fb4823f20f78661c70..a53c2d202002f6c53451ea7bbd41cb925e08a713 160000 (submodule)
--- a/tests/deckard
+++ b/tests/deckard
@@ -1 +1 @@
-Subproject commit b985a91d0e5f2f30d430d3fb4823f20f78661c70
+Subproject commit a53c2d202002f6c53451ea7bbd41cb925e08a713