layer/validate: don't treat anwsers which contain DS non-existance proof as unsecured

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 1b9dd5d3e0f7e8050ed97e8cd95114257d537a0d..bdff94a3aff1db5a38ff82164e1c1210e37eb2e7 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -294,7 +294,7 @@ static int update_parent_keys(struct kr_query *qry, uint16_t answer_type)
                break;
        case KNOT_RRTYPE_DS:
                VERBOSE_MSG(qry, "<= parent: updating DS\n");
-               if (qry->flags & QUERY_DNSSEC_INSECURE) { /* DS non-existence proven. */
+               if (qry->flags & (QUERY_DNSSEC_NODS | QUERY_DNSSEC_INSECURE)) { /* DS non-existence proven. */
                        mark_insecure_parents(qry);
                } else { /* DS existence proven. */
                        parent->zone_cut.trust_anchor = knot_rrset_copy(qry->zone_cut.trust_anchor, parent->zone_cut.pool);
@@ -371,8 +371,7 @@ static int update_delegation(struct kr_request *req, struct kr_query *qry, knot_
                        qry->flags |= QUERY_DNSSEC_BOGUS;
                } else {
                        VERBOSE_MSG(qry, "<= DS doesn't exist, going insecure\n");
-                       qry->flags &= ~QUERY_DNSSEC_WANT;
-                       qry->flags |= QUERY_DNSSEC_INSECURE;
+                       qry->flags |= QUERY_DNSSEC_NODS;
                }
                return ret;
        }
@@ -666,8 +665,7 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
                        if (ret != 0) {
                                if (has_nsec3 && (ret == kr_error(DNSSEC_OUT_OF_RANGE))) {
                                        VERBOSE_MSG(qry, "<= can't prove NODATA due to optout, going insecure\n");
-                                       qry->flags &= ~QUERY_DNSSEC_WANT;
-                                       qry->flags |= QUERY_DNSSEC_INSECURE;
+                                       qry->flags |= QUERY_DNSSEC_NODS;
                                        /* Could not return from here,
                                         * we must continue, validate NSEC\NSEC3 and
                                         * call update_parent_keys() to mark
@@ -729,7 +727,8 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
                return KR_STATE_FAIL;
        } else if (pkt_rcode == KNOT_RCODE_NOERROR &&
                   referral &&
-                  ((qry->flags & (QUERY_DNSSEC_WANT | QUERY_DNSSEC_INSECURE)) == QUERY_DNSSEC_INSECURE)) {
+                  (((qry->flags & (QUERY_DNSSEC_WANT | QUERY_DNSSEC_INSECURE)) == QUERY_DNSSEC_INSECURE) ||
+                  (qry->flags & QUERY_DNSSEC_NODS))) {
                /* referral with proven DS non-existance */
                qtype = KNOT_RRTYPE_DS;
        }

diff --git a/lib/resolve.c b/lib/resolve.c
index fe55019c52c37d104d99df5b65b11075dcd02c08..af538b37f9b8b44083b57a70d025a85f5c5acda9 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -185,9 +185,11 @@ static int ns_fetch_cut(struct kr_query *qry, const knot_dname_t *requested_name
 
        /* It can occur that here parent query already have
         * provably insecured zonecut which not in the cache yet. */
+       const uint32_t insec_flags = QUERY_DNSSEC_INSECURE | QUERY_DNSSEC_NODS;
+       const uint32_t cut_flags = QUERY_AWAIT_IPV4 | QUERY_AWAIT_IPV6;
        const bool is_insecured = ((qry->parent != NULL) &&
-                                  (qry->parent->flags & (QUERY_AWAIT_IPV4 | QUERY_AWAIT_IPV6)) == 0 &&
-                                  (qry->parent->flags & QUERY_DNSSEC_INSECURE) != 0);
+                                  (qry->parent->flags & cut_flags) == 0 &&
+                                  (qry->parent->flags & insec_flags) != 0);
 
        /* Want DNSSEC if it's possible to secure this name
         * (e.g. is covered by any TA) */

diff --git a/lib/rplan.h b/lib/rplan.h
index 92f94d09e20c80c93e17001d75f568aa1487f72b..6a70835ebe127d59d865923226aa6607ae4d4ece 100644 (file)
--- a/lib/rplan.h
+++ b/lib/rplan.h
@@ -53,6 +53,7 @@
        X(REORDER_RR,      1 << 24) /**< Reorder cached RRs. */ \
        X(TRACE,           1 << 25) /**< Log answer with kr_verbose_log(), unless -DNDEBUG. */ \
        X(NO_0X20,         1 << 26) /**< Disable query case randomization . */ \
+       X(DNSSEC_NODS,     1 << 27) /**< DS non-existance is proven */ \
                        /* 1 << 31       Used by ../modules/dns64/dns64.lua */
 
 /** Query flags */