layer/iterate: fail answers with NSs outside bailiwick immediately

author Marek Vavruša <marek.vavrusa@nic.cz>

Thu, 10 Dec 2015 23:53:35 +0000 (00:53 +0100)

committer Marek Vavruša <marek.vavrusa@nic.cz>

Thu, 10 Dec 2015 23:53:35 +0000 (00:53 +0100)
author Marek Vavruša <marek.vavrusa@nic.cz>
Thu, 10 Dec 2015 23:53:35 +0000 (00:53 +0100)
committer Marek Vavruša <marek.vavrusa@nic.cz>
Thu, 10 Dec 2015 23:53:35 +0000 (00:53 +0100)
diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c

index 7e88885f137cdc9a93bd32a4e6b219569d789ab8..69ec3714c678c924d48eb7e1ed846ae844cae838 100644 (file)
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -222,8 +222,8 @@ static int update_cut(knot_pkt_t *pkt, const knot_rrset_t *rr, struct kr_request
         /* Authority MUST be at/below the authority of the nameserver, otherwise
          * possible cache injection attempt. */
         if (!knot_dname_in(cut->name, rr->owner)) {
-               DEBUG_MSG("<= authority: ns outside bailiwick, ignoring\n");
-               return state;
+               DEBUG_MSG("<= authority: ns outside bailiwick, failing\n");
+               return KNOT_STATE_FAIL;
         }
  
         /* Update zone cut name */
author	Marek Vavruša <marek.vavrusa@nic.cz>
	Thu, 10 Dec 2015 23:53:35 +0000 (00:53 +0100)
committer	Marek Vavruša <marek.vavrusa@nic.cz>
	Thu, 10 Dec 2015 23:53:35 +0000 (00:53 +0100)