layer/iterate: remove counter-productive validation

... functionality from iterator: don't fail immediately if actual number
of labels in owner name exceeds number in label field of RRSIG rrset

diff --git a/NEWS b/NEWS
index f7a4cd6228749e32ad391e13610b2a2fe8697b19..185173f89106787b52623ac79ed2e0d063dc8412 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,10 @@
 Knot Resolver 1.3.3 (2017-0_-__)
 ================================
 
+Bugfixes
+--------
+- iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL
+
 Improvements
 ------------
 - policy: implement remaining special-use domain names from RFC6761 (#205),

diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index b8ce5d01a40779d221e40a173229547695059fdd..0efccbb74e282ee845a989c4c507b90bee39600e 100644 (file)
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -465,7 +465,10 @@ static int unroll_cname(knot_pkt_t *pkt, struct kr_request *req, bool referral,
                        if (rr->type == KNOT_RRTYPE_RRSIG) {
                                int rrsig_labels = knot_rrsig_labels(&rr->rrs, 0);
                                if (rrsig_labels > cname_labels) {
-                                       return KR_STATE_FAIL;
+                                       /* clearly wrong RRSIG, don't pick it.
+                                        * don't fail immediately,
+                                        * let validator work. */
+                                       continue;
                                }
                                if (rrsig_labels < cname_labels) {
                                        query->flags |= QUERY_DNSSEC_WEXPAND;