]> git.ipfire.org Git - thirdparty/knot-resolver.git/commitdiff
iterate: don't inherit _INSECURE on CNAME jumps
authorVladimír Čunát <vladimir.cunat@nic.cz>
Thu, 13 Apr 2017 12:40:29 +0000 (14:40 +0200)
committerVladimír Čunát <vladimir.cunat@nic.cz>
Thu, 13 Apr 2017 12:48:18 +0000 (14:48 +0200)
The jump may lead to secure zone, so let the sub-query find out by
itself.  Otherwise we might cache those RRs with INSECURE rank even
though they are secure.  This shouldn't harm AD flags anymore.

lib/layer/iterate.c

index a2e9cd178f8be3342a3a8e0cddf9625ba1625a08..7e45e8a084bf195dfb83ae9f38f66032428f98cc 100644 (file)
@@ -644,13 +644,13 @@ static int process_answer(knot_pkt_t *pkt, struct kr_request *req)
                        return KR_STATE_FAIL;
                }
                next->flags |= QUERY_AWAIT_CUT;
-               if (query->flags & QUERY_DNSSEC_INSECURE) {
-                       next->flags &= ~QUERY_DNSSEC_WANT;
-                       next->flags |= QUERY_DNSSEC_INSECURE;
-               } else if (kr_ta_covers_qry(req->ctx, cname, query->stype)) {
-                       /* Want DNSSEC if it's posible to secure
-                        * this name (e.g. is covered by any TA) */
+
+               /* Want DNSSEC if and only if it's posible to secure
+                * this name (i.e. iff it is covered by a TA) */
+               if (kr_ta_covers_qry(req->ctx, cname, query->stype)) {
                        next->flags |= QUERY_DNSSEC_WANT;
+               } else {
+                       next->flags &= ~QUERY_DNSSEC_WANT;
                }
                state = pick_authority(pkt, req, false);
                if (state != kr_ok()) {