iterate: update zone cut when NS is authoritative for both parent and child

In some cases the NS is authoritative for both parent and the child side of
the delegation (e.g. nrl.navy.mil). When it gets the query for such NS,
it can respond from the child side with an NS record in the answer and AA=1.
The resolver should update the zone cut accordingly, otherwise it would fail
validation in cases when the child-side of the delegation is insecure,
but parent side  of the delegation is secure, because the child side
would respond without DNSSEC records, and it wouldn't indicate that
the zone cut needs updating (when using minimal answers) (e.g. www.nrl.navy.mil).

diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index a4bd12e43390f5ef26385d22d696a8dab284a35a..debfe7d2297f4296bfc4959f166cc5926e94c995 100644 (file)
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -427,6 +427,19 @@ static int process_authority(knot_pkt_t *pkt, struct kr_request *req)
                }
        }
 
+       /* Nameserver is authoritative for both parent side and the child side of the
+        * delegation may respond with an NS record in the answer section, and still update
+        * the zone cut (e.g. what a.gtld-servers.net would respond for `com NS`) */
+       if (!ns_record_exists && knot_wire_get_aa(pkt->wire)) {
+               for (unsigned i = 0; i < an->count; ++i) {
+                       const knot_rrset_t *rr = knot_pkt_rr(an, i);
+                       if (rr->type == KNOT_RRTYPE_NS && knot_dname_is_sub(rr->owner, qry->zone_cut.name)) {
+                               /* NS below cut in authority indicates different authority, but same NS set. */
+                               qry->zone_cut.name = knot_dname_copy(rr->owner, &req->pool);
+                       }
+               }
+       }
+
        if (glue_cnt) {
                VERBOSE_MSG("<= loaded %d glue addresses\n", glue_cnt);
        }