pktcache: fix mixup of BOGUS and INSECURE DNSSEC

A negative answer cached from a +cd query could be mistakenly used
even for a later query without +cd.

diff --git a/lib/layer/pktcache.c b/lib/layer/pktcache.c
index b8a6d0585245cd653109c2d81b3e1b182170d7bb..861e47cba9590405a0b47aa6b932f6ba0f963281 100644 (file)
--- a/lib/layer/pktcache.c
+++ b/lib/layer/pktcache.c
@@ -54,8 +54,6 @@ static int loot_pktcache(struct kr_cache *cache, knot_pkt_t *pkt,
        uint32_t timestamp = qry->timestamp.tv_sec;
        const knot_dname_t *qname = qry->sname;
        uint16_t rrtype = qry->stype;
-       const bool want_secure = (qry->flags & QUERY_DNSSEC_WANT) &&
-                                !knot_wire_get_cd(req->answer->wire);
 
        struct kr_cache_entry *entry = NULL;
        int ret = kr_cache_peek(cache, KR_CACHE_PKT, qname,
@@ -65,12 +63,12 @@ static int loot_pktcache(struct kr_cache *cache, knot_pkt_t *pkt,
        }
 
        /* Check that we have secure rank. */
-       if (want_secure && entry->rank == KR_RANK_BAD) {
+       if (!knot_wire_get_cd(req->answer->wire) && entry->rank == KR_RANK_BAD) {
                return kr_error(ENOENT);
        }
 
        /* Check if entry is insecure and setup query flags if needed. */
-       if (want_secure && entry->rank == KR_RANK_INSECURE) {
+       if ((qry->flags & QUERY_DNSSEC_WANT) && entry->rank == KR_RANK_INSECURE) {
                qry->flags |= QUERY_DNSSEC_INSECURE;
                qry->flags &= ~QUERY_DNSSEC_WANT;
        }