layer/validate: additional processing for chained DS queries

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index f7d07999b46d5427308d05bd04368696123cc402..ed58f25c3a05aa7a483c23033abcdebe03cfb2a7 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -280,8 +280,14 @@ static int update_parent_keys(struct kr_query *qry, uint16_t answer_type)
        case KNOT_RRTYPE_DS:
                DEBUG_MSG(qry, "<= parent: updating DS\n");
                if (qry->flags & QUERY_DNSSEC_INSECURE) { /* DS non-existence proven. */
-                       parent->flags &= ~QUERY_DNSSEC_WANT;
-                       parent->flags |= QUERY_DNSSEC_INSECURE;
+                       do {
+                               parent->flags &= ~QUERY_DNSSEC_WANT;
+                               parent->flags |= QUERY_DNSSEC_INSECURE;
+                               if (parent->stype != KNOT_RRTYPE_DS) {
+                                       break;
+                               }
+                               parent = parent->parent;
+                       } while (parent);
                } else { /* DS existence proven. */
                        parent->zone_cut.trust_anchor = knot_rrset_copy(qry->zone_cut.trust_anchor, parent->zone_cut.pool);
                        if (!parent->zone_cut.trust_anchor) {