validator: fix after fac462e163a2614e24d2c604a9b120b949796a72.

See:
  https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1590#note_304380

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 1a871b4469fe2ab4eb683aa637fa17e77ab1d276..321b0a2541f5ec652010e79424670ff7ac42d6a5 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -1415,6 +1415,13 @@ static int validate_finalize(kr_layer_t *ctx) {
        /* Clear DNSSEC-related Extended Error in case the request managed to succeed somehow. */
        if (ctx->state == KR_STATE_DONE) {
                switch (ctx->req->extended_error.info_code) {
+               case KNOT_EDNS_EDE_DNSKEY_ALG:
+               case KNOT_EDNS_EDE_DS_DIGEST:
+               case KNOT_EDNS_EDE_NSEC3_ITERS: ;
+                       /* These EDEs are meant to result into _INSECURE success. */
+                       const struct kr_query *qry = kr_rplan_resolved(&ctx->req->rplan);
+                       if (qry->flags.DNSSEC_INSECURE)
+                               break;
                case KNOT_EDNS_EDE_BOGUS:
                case KNOT_EDNS_EDE_NSEC_MISS:
                case KNOT_EDNS_EDE_RRSIG_MISS:
@@ -1422,8 +1429,6 @@ static int validate_finalize(kr_layer_t *ctx) {
                case KNOT_EDNS_EDE_EXPIRED_INV:
                case KNOT_EDNS_EDE_SIG_NOTYET:
                case KNOT_EDNS_EDE_DNSKEY_BIT:
-               case KNOT_EDNS_EDE_DNSKEY_ALG:
-               case KNOT_EDNS_EDE_DS_DIGEST:
                case KNOT_EDNS_EDE_DNSKEY_MISS:
                        kr_request_set_extended_error(ctx->req, KNOT_EDNS_EDE_NONE, NULL);
                        break;