lib/resolve: AD flag is set only for secure answers

if the final query isn’t satisfied with DNSSEC on,
then the answer counts as insecure

diff --git a/lib/resolve.c b/lib/resolve.c
index c77b40cec9f3d6363d3ffbb441aa2ad2c0169bdf..92311e15fba9c708f6c1acba66536067dad1150a 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -191,8 +191,12 @@ static int answer_finalize(struct kr_request *request, int state)
                }
        }
        /* Set AD=1 if succeeded and requested secured answer. */
-       if (state == KNOT_STATE_DONE && (request->options & QUERY_DNSSEC_WANT)) {
-               knot_wire_set_ad(answer->wire);
+       struct kr_rplan *rplan = &request->rplan;
+       if (state == KNOT_STATE_DONE && !EMPTY_LIST(rplan->resolved)) {
+               struct kr_query *last = TAIL(rplan->resolved);
+               if (last->flags & QUERY_DNSSEC_WANT) {
+                       knot_wire_set_ad(answer->wire);
+               }
        }
        return kr_ok();
 }