qry->flags.DNSSEC_WANT = false;
}
/* Check if any DNSKEY found for cached cut */
- if ((qry->flags.DNSSEC_WANT) && (cut_found.key == NULL)) {
- /* No DNSKEY was found for cached cut.
- * If no glue were fetched for this cut,
- * we have got circular dependency - must fetch A\AAAA
- * from authoritative, but we have no key to verify it.
- * TODO - try to refetch cut only if no glue were fetched */
+ if (qry->flags.DNSSEC_WANT && cut_found.key == NULL &&
+ !kr_zonecut_is_any_glue(&cut_found)) {
+ /* Cut found and there are no proofs of zone insecurity.
+ * But no DNSKEY found and no glue fetched.
+ * We have got circular dependency - must fetch A\AAAA
+ * from authoritative, but we have no key to verify it. */
kr_zonecut_deinit(&cut_found);
if (requested_name[0] != '\0' ) {
/* If not root - try next label */
return map_get(nsset, key);
}
+static int is_any_glue(const char *k, void *v, void *baton)
+{
+ bool *glue_found = (bool *)baton;
+ if (*glue_found) {
+ return kr_ok();
+ }
+
+ pack_t *pack = (pack_t *)v;
+ if (pack != NULL && pack->len != 0) {
+ *glue_found = true;
+ }
+
+ return kr_ok();
+}
+
+bool kr_zonecut_is_any_glue(struct kr_zonecut *cut)
+{
+ if (!cut) {
+ return false;
+ }
+
+ bool glue_found = false;
+ map_t *nsset = &cut->nsset;
+
+ map_walk(nsset, is_any_glue, &glue_found);
+ return glue_found;
+}
+
int kr_zonecut_set_sbelt(struct kr_context *ctx, struct kr_zonecut *cut)
{
if (!ctx || !cut) {
int kr_zonecut_find_cached(struct kr_context *ctx, struct kr_zonecut *cut,
const knot_dname_t *name, const struct kr_query *qry,
bool * restrict secured);
+/**
+ * Check if any glue addresses are present in zone cut
+ *
+ * @param cut zone cut to check
+ * @return true/false
+ */
+KR_EXPORT
+bool kr_zonecut_is_any_glue(struct kr_zonecut *cut);
-Subproject commit 9c7c6313552892913fd6e3e13d295c166b1c0623
+Subproject commit ca6336af648f52b71a0d13f17bba3d41728569cb
projects / thirdparty / knot-resolver.git / commitdiff
