and fixup with DEBUG -> VERBOSE renames.
/* Fetch either answer to original or minimized query */
uint8_t flags = 0;
- struct kr_cache *cache = &ctx->req->ctx->cache;
- int ret = loot_pktcache(cache, pkt, qry, &flags);
+ struct kr_cache *cache = &req->ctx->cache;
+ int ret = loot_pktcache(cache, pkt, req, &flags);
if (ret == 0) {
- DEBUG_MSG(qry, "=> satisfied from cache\n");
+ VERBOSE_MSG(qry, "=> satisfied from cache\n");
qry->flags |= QUERY_CACHED|QUERY_NO_MINIMIZE;
if (flags & KR_CACHE_FLAG_WCARD_PROOF) {
qry->flags |= QUERY_DNSSEC_WEXPAND;
/* Check if the same CNAME was already resolved */
if (next_cname) {
char key[KR_RRKEY_LEN];
- int ret = kr_rrkey(key, next_cname, rr->type, KR_RANK_AUTH);
+ int ret = kr_rrkey(key, next_cname, rr->type, rank);
if (ret != 0 || map_get(stash, key)) {
- DEBUG_MSG(qry, "<= cname chain loop\n");
+ VERBOSE_MSG(qry, "<= cname chain loop\n");
next_cname = NULL;
}
}
/* Pass-through if user doesn't want secure answer or stub. */
/* @todo: Validating stub resolver mode. */
if (!(qry->flags & QUERY_DNSSEC_WANT) || (qry->flags & QUERY_STUB)) {
- DEBUG_MSG(qry, "<= cached insecure response, going insecure\n");
+ /* Got validated insecure answer from cache
+ Mark parent(s) as insecure */
+ if ((qry->flags & (QUERY_CACHED | QUERY_DNSSEC_INSECURE)) ==
+ (QUERY_CACHED | QUERY_DNSSEC_INSECURE) &&
+ qry->parent != NULL) {
+ /* if there is a chain of DS queries, mark all of them */
+ struct kr_query *parent = qry->parent;
+ do {
+ parent->flags &= ~QUERY_DNSSEC_WANT;
+ parent->flags |= QUERY_DNSSEC_INSECURE;
+ parent = parent->parent;
+ } while (parent && parent->stype == KNOT_RRTYPE_DS);
++ VERBOSE_MSG(qry, "<= cached insecure response, going insecure\n");
+ ctx->state = KR_STATE_DONE;
+ }
return ctx->state;
}
+ /* Pass-through if CD bit is set. */
+ if (knot_wire_get_cd(req->answer->wire)) {
+ return ctx->state;
+ }
/* Answer for RRSIG may not set DO=1, but all records MUST still validate. */
bool use_signatures = (knot_pkt_qtype(pkt) != KNOT_RRTYPE_RRSIG);
if (!(qry->flags & QUERY_CACHED) && !knot_pkt_has_dnssec(pkt) && !use_signatures) {
qry->flags &= ~QUERY_DNSSEC_WANT;
}
/* Enable DNSSEC if enters a new island of trust. */
- bool want_secured = (qry->flags & QUERY_DNSSEC_WANT);
- if (!want_secured && kr_ta_get(trust_anchors, qry->zone_cut.name)) {
+ bool want_secured = (qry->flags & QUERY_DNSSEC_WANT) &&
+ !knot_wire_get_cd(request->answer->wire);
+ if (!(qry->flags & QUERY_DNSSEC_WANT) &&
+ !knot_wire_get_cd(request->answer->wire) &&
+ kr_ta_get(trust_anchors, qry->zone_cut.name)) {
qry->flags |= QUERY_DNSSEC_WANT;
want_secured = true;
- WITH_DEBUG {
+ WITH_VERBOSE {
char qname_str[KNOT_DNAME_MAXLEN];
knot_dname_to_str(qname_str, qry->zone_cut.name, sizeof(qname_str));
- DEBUG_MSG(qry, ">< TA: '%s'\n", qname_str);
+ VERBOSE_MSG(qry, ">< TA: '%s'\n", qname_str);
}
}
if (want_secured && !qry->zone_cut.trust_anchor) {
projects / thirdparty / knot-resolver.git / commitdiff
