lib/resolve answer_finalize: fix AD flag handling

Resolves a FIXME, and this way of doing AD should be better/safer.
(Lower likelihood of accidentally leaving it on in some situation.)

GC test: the record is inserted manually with _SECURE rank but without
signatures.  I think it's better to return AD flag in that edge case.

diff --git a/lib/resolve.c b/lib/resolve.c
index ba72dc4021d2c89519fa8822f525c6037f020b70..53de0fa55b62e6b89e9459c8792b680e7d3af3b3 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -567,6 +567,7 @@ static void answer_finalize(struct kr_request *request)
 {
        struct kr_rplan *rplan = &request->rplan;
        knot_pkt_t *answer = request->answer;
+       const uint8_t *q_wire = request->qsource.packet->wire;
 
        if (answer->rrset_count != 0) {
                /* Non-standard: we assume the answer had been constructed.
@@ -605,7 +606,7 @@ static void answer_finalize(struct kr_request *request)
        /* TODO: clean this up in !660 or followup, and it isn't foolproof anyway. */
        if (last->flags.DNSSEC_BOGUS
            || (rplan->pending.len > 0 && array_tail(rplan->pending)->flags.DNSSEC_BOGUS)) {
-               if (!knot_wire_get_cd(request->qsource.packet->wire)) {
+               if (!knot_wire_get_cd(q_wire)) {
                        answer_fail(request);
                        return;
                }
@@ -670,9 +671,10 @@ static void answer_finalize(struct kr_request *request)
        VERBOSE_MSG(last, "AD: request%s classified as SECURE\n", secure ? "" : " NOT");
        request->rank = secure ? KR_RANK_SECURE : KR_RANK_INITIAL;
 
-       /* Clear AD if not secure.  ATM answer has AD=1 if requested secured answer. */
-       if (!secure) {
-               knot_wire_clear_ad(answer->wire);
+       /* Set AD if secure and AD bit "was requested". */
+       if (secure && !knot_wire_get_cd(q_wire)
+           && (knot_pkt_has_dnssec(answer) || knot_wire_get_ad(q_wire))) {
+               knot_wire_set_ad(answer->wire);
        }
 }
 
@@ -811,8 +813,6 @@ knot_pkt_t * kr_request_ensure_answer(struct kr_request *request)
        knot_wire_set_rcode(wire, KNOT_RCODE_NOERROR);
        if (knot_wire_get_cd(qs_pkt->wire)) {
                knot_wire_set_cd(wire);
-       } else if (request->current_query && request->current_query->flags.DNSSEC_WANT) { // FIXME: ugly
-               knot_wire_set_ad(wire);
        }
 
        // Prepare EDNS if required.

diff --git a/utils/cache_gc/test.integr/val_rrsig.rpl b/utils/cache_gc/test.integr/val_rrsig.rpl
index 28c77ac3c3f1a3f270fba96fd16b7106c61a14b6..22002b78322b7a9839b36a556c44149d6221985b 100644 (file)
--- a/utils/cache_gc/test.integr/val_rrsig.rpl
+++ b/utils/cache_gc/test.integr/val_rrsig.rpl
@@ -13,7 +13,7 @@ ENTRY_END
 STEP 2 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -30,7 +30,7 @@ ENTRY_END
 STEP 4 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -47,7 +47,7 @@ ENTRY_END
 STEP 6 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -64,7 +64,7 @@ ENTRY_END
 STEP 8 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -81,7 +81,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -98,7 +98,7 @@ ENTRY_END
 STEP 12 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -115,7 +115,7 @@ ENTRY_END
 STEP 14 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -132,7 +132,7 @@ ENTRY_END
 STEP 16 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -149,7 +149,7 @@ ENTRY_END
 STEP 18 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -166,7 +166,7 @@ ENTRY_END
 STEP 20 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -183,7 +183,7 @@ ENTRY_END
 STEP 22 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -200,7 +200,7 @@ ENTRY_END
 STEP 24 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -217,7 +217,7 @@ ENTRY_END
 STEP 26 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -234,7 +234,7 @@ ENTRY_END
 STEP 28 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -251,7 +251,7 @@ ENTRY_END
 STEP 30 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -268,7 +268,7 @@ ENTRY_END
 STEP 32 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -285,7 +285,7 @@ ENTRY_END
 STEP 34 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -302,7 +302,7 @@ ENTRY_END
 STEP 36 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -319,7 +319,7 @@ ENTRY_END
 STEP 38 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -336,7 +336,7 @@ ENTRY_END
 STEP 40 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -353,7 +353,7 @@ ENTRY_END
 STEP 42 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -370,7 +370,7 @@ ENTRY_END
 STEP 44 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -387,7 +387,7 @@ ENTRY_END
 STEP 46 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -404,7 +404,7 @@ ENTRY_END
 STEP 48 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -421,7 +421,7 @@ ENTRY_END
 STEP 50 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -438,7 +438,7 @@ ENTRY_END
 STEP 52 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -455,7 +455,7 @@ ENTRY_END
 STEP 54 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -472,7 +472,7 @@ ENTRY_END
 STEP 56 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -489,7 +489,7 @@ ENTRY_END
 STEP 58 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -506,7 +506,7 @@ ENTRY_END
 STEP 60 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -523,7 +523,7 @@ ENTRY_END
 STEP 62 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -540,7 +540,7 @@ ENTRY_END
 STEP 64 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -557,7 +557,7 @@ ENTRY_END
 STEP 66 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -574,7 +574,7 @@ ENTRY_END
 STEP 68 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -591,7 +591,7 @@ ENTRY_END
 STEP 70 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -608,7 +608,7 @@ ENTRY_END
 STEP 72 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -625,7 +625,7 @@ ENTRY_END
 STEP 74 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -642,7 +642,7 @@ ENTRY_END
 STEP 76 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -659,7 +659,7 @@ ENTRY_END
 STEP 78 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -676,7 +676,7 @@ ENTRY_END
 STEP 80 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -693,7 +693,7 @@ ENTRY_END
 STEP 82 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -710,7 +710,7 @@ ENTRY_END
 STEP 84 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
@@ -727,7 +727,7 @@ ENTRY_END
 STEP 86 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode rcode flags question answer
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER