resolve: fix AD flag for negative answers

This part of code still deserves better review.
It's a bit surprising that our current tests didn't discover it.

We incorrectly answered with AD in some cases, e.g. ntp.pool.org AAAA.

diff --git a/lib/resolve.c b/lib/resolve.c
index 7e751939ab0da4e63bee0be5919b8c1421d74efb..21559213d0e16bdb7105fe03db77be40682551a6 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -608,6 +608,14 @@ static int answer_finalize(struct kr_request *request, int state)
                ret = edns_put(answer);
        }
 
+       /* AD: negative answers need more handling. */
+       if (kr_response_classify(answer) != PKT_NOERROR && last) {
+               const bool OK = (last->flags & QUERY_DNSSEC_WANT)
+                       && !(last->flags & (QUERY_DNSSEC_BOGUS | QUERY_DNSSEC_INSECURE));
+               if (!OK) {
+                       secure = false;
+               }
+       }
        /* Clear AD if not secure.  ATM answer has AD=1 if requested secured answer. */
        if (!secure || state != KR_STATE_DONE
            || knot_pkt_qtype(answer) == KNOT_RRTYPE_RRSIG) {

diff --git a/tests/deckard b/tests/deckard
index b985a91d0e5f2f30d430d3fb4823f20f78661c70..743603e0ccd40fa1d0a97dfbc1e9ae963dda89f6 160000 (submodule)
--- a/tests/deckard
+++ b/tests/deckard
@@ -1 +1 @@
-Subproject commit b985a91d0e5f2f30d430d3fb4823f20f78661c70
+Subproject commit 743603e0ccd40fa1d0a97dfbc1e9ae963dda89f6