resolver: don't set AD if both Answer and Authority are empty.

Fixes #914 (nord module: AD=1 is no good)

diff --git a/NEWS b/NEWS
index 2b2f13e82aad4226f53a668a2385f6a0e9a6088d..7880babfe877fe06a20766d96fbe6a9e5ded60b6 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ Improvements:
 - logging: improved logging groups (!1768)
 - support libdnssec merged into libknot, as planned for knot >= 3.6 (!1769)
 - support cmocka 2.0.0 (!1772)
+- avoid AD=1 in reply if ANSWER+AUTHORITY are empty (#914, !1779)
 
 Bugfixes
 --------

diff --git a/lib/resolve.c b/lib/resolve.c
index bc00471bc746a2e1167e519b06fb88d2a1f0a88a..7426e1ac96efe92a48dee340c9fe5b783fe66d5e 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -394,6 +394,12 @@ static void answer_finalize(struct kr_request *request)
                return;
        }
 
+       if (knot_wire_get_ancount(answer->wire) == 0 && knot_wire_get_nscount(answer->wire) == 0) {
+               /* Let's disable AD flag if the set of RRs covered by it is empty,
+                * though it seems unclear to vcunat what RFCs say about that special case. */
+               secure = false;
+       }
+
        /* AD: "negative answers" need more handling. */
        if (kr_response_classify(answer) != PKT_NOERROR
            /* Additionally check for CNAME chains that "end in NODATA",

diff --git a/modules/refuse_nord/refuse_nord.c b/modules/refuse_nord/refuse_nord.c
index 607ff6144782f3d1b5a366620a55ba099bf2f1ae..f5171e6ca59937a08ea0709d116fb9b8287bb0b2 100644 (file)
--- a/modules/refuse_nord/refuse_nord.c
+++ b/modules/refuse_nord/refuse_nord.c
@@ -20,7 +20,6 @@ static int refuse_nord_query(kr_layer_t *ctx)
        if (!answer)
                return ctx->state;
        knot_wire_set_rcode(answer->wire, KNOT_RCODE_REFUSED);
-       knot_wire_clear_ad(answer->wire);
        kr_request_set_extended_error(req, KNOT_EDNS_EDE_NOTAUTH, "ABC4");
        ctx->state = KR_STATE_DONE;
        return ctx->state;