lib/resolve: disable DNSSEC when not under a TA

diff --git a/lib/resolve.c b/lib/resolve.c
index bb43f4c05c881396e6110dcd08d1aa67afbad452..96ec791d1354c3fe176e302fe95fee193c4a82ce 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -390,6 +390,8 @@ static int zone_cut_check(struct kr_request *request, struct kr_query *qry, knot
                if (!kr_ta_covers(negative_anchors, qry->zone_cut.name) &&
                    kr_ta_covers(trust_anchors, qry->zone_cut.name)) {
                        qry->flags |= QUERY_DNSSEC_WANT;
+               } else {
+                       qry->flags &= ~QUERY_DNSSEC_WANT;
                }
                int ret = ns_fetch_cut(qry, request, (qry->flags & QUERY_DNSSEC_WANT));
                if (ret != 0) {