lib/validate: scrubbed extra rrs in NS were checked

the validator module should ignore any data that
will be scrubbed, that includes non-authoritative
data outside current bailiwick. previously,
validator attempted to ignore these records only
for answer section and had a special case for NS
records.

cache: non-authoritative NS records are always
unchecked and must be treated as insecure

affected: www.iana.org trying to provide
delegation information for CNAME target, which is
moot with CNAME target explicit-fetch policy unless
the the resolver already knows DNSKEY with which
is could verify the records

diff --git a/lib/layer/rrcache.c b/lib/layer/rrcache.c
index ca5bdedf19fb55a39318dc8b693b9bda43079039..d254d9afc65142acffccecd62601747b1f712fd9 100644 (file)
--- a/lib/layer/rrcache.c
+++ b/lib/layer/rrcache.c
@@ -177,10 +177,15 @@ static int commit_rr(const char *key, void *val, void *data)
 
        /* Save RRSIG in a special cache. */
        uint16_t rank = KEY_FLAG_RANK(key);
-       if (baton->qry->flags & QUERY_DNSSEC_WANT)
-               rank |= KR_RANK_SECURE;
-       if (baton->qry->flags & QUERY_DNSSEC_INSECURE)
-               rank |= KR_RANK_INSECURE;
+       /* Non-authoritative NSs should never be trusted,
+        * it may be present in an otherwise secure answer but it
+        * is only a hint for local state. */
+       if (rr->type != KNOT_RRTYPE_NS || (rank & KR_RANK_AUTH)) {
+               if (baton->qry->flags & QUERY_DNSSEC_WANT)
+                       rank |= KR_RANK_SECURE;
+               if (baton->qry->flags & QUERY_DNSSEC_INSECURE)
+                       rank |= KR_RANK_INSECURE;
+       }
        if (KEY_COVERING_RRSIG(key)) {
                return commit_rrsig(baton, rank, rr);
        }

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index a516c6f9ab4cec730749d8372d5e1dfb27d899dd..453a00cafb2b53638e94be08d1c56a73da20f7e3 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -125,7 +125,7 @@ static int validate_section(struct kr_query *qry, knot_pkt_t *answer,
                        continue;
                }
                /* Only validate answers from current cut, records above the cut are stripped. */
-               if (section_id == KNOT_ANSWER && !knot_dname_in(qry->zone_cut.name, rr->owner)) {
+               if (!knot_dname_in(qry->zone_cut.name, rr->owner)) {
                        continue;
                }
                ret = kr_rrmap_add(&stash, rr, 0, pool);

diff --git a/tests/deckard b/tests/deckard
index 7d8a8ce66e41c4ffa2ebf1edc3839494873855c1..866b7b95ce7355d112b9e47504825c31c6fcb27a 160000 (submodule)
--- a/tests/deckard
+++ b/tests/deckard
@@ -1 +1 @@
-Subproject commit 7d8a8ce66e41c4ffa2ebf1edc3839494873855c1
+Subproject commit 866b7b95ce7355d112b9e47504825c31c6fcb27a