rrtype = KNOT_RRTYPE_CNAME;
ret = loot_rr(&txn, pkt, qry->sname, qry->sclass, rrtype, qry, &rank, 0);
}
- /* Record isn't flagged as INSECURE => doesn't have RRSIG. */
+ /* Record is flagged as INSECURE => doesn't have RRSIG. */
if (ret == 0 && (rank & KR_RANK_INSECURE)) {
+ qry->flags |= QUERY_DNSSEC_INSECURE;
qry->flags &= ~QUERY_DNSSEC_WANT;
/* Record may have RRSIG, try to find it. */
} else if (ret == 0 && dobit) {
if (state == KNOT_STATE_DONE && rplan->resolved.len > 0) {
struct kr_query *last = array_tail(rplan->resolved);
/* Do not set AD for RRSIG query, as we can't validate it. */
- if ((last->flags & QUERY_DNSSEC_WANT) && knot_pkt_has_dnssec(answer) &&
- knot_pkt_qtype(answer) != KNOT_RRTYPE_RRSIG) {
+ const bool dnssec_ok = (last->flags & QUERY_DNSSEC_WANT) && !(last->flags & QUERY_DNSSEC_INSECURE);
+ if (dnssec_ok && knot_pkt_qtype(answer) != KNOT_RRTYPE_RRSIG) {
knot_wire_set_ad(answer->wire);
}
}
/* Want DNSSEC if it's posible to secure this name (e.g. is covered by any TA) */
map_t *negative_anchors = &request->ctx->negative_anchors;
map_t *trust_anchors = &request->ctx->trust_anchors;
- if (knot_pkt_has_dnssec(packet) &&
+ if ((knot_wire_get_ad(packet->wire) || knot_pkt_has_dnssec(packet)) &&
kr_ta_covers(trust_anchors, qname) && !kr_ta_covers(negative_anchors, qname)) {
qry->flags |= QUERY_DNSSEC_WANT;
}
projects / thirdparty / knot-resolver.git / commitdiff
