lib/resolve answer_finalize: don't SERVFAIL bogus +cd

As kresd works now, typically we do not know whether these records are
bogus, as with +cd we do not attempt validation.  Still, it's possible
that we have those records in cache from an occasion without +cd, in
which case we know they're bogus and this regression happened.

The potential impact of this issue seems minimal.

diff --git a/NEWS b/NEWS
index 0575bad69f34e0983304f17a9d86510d328c5955..b1c2ab83e3ac05e4bc445c07b4fd7a1953d19104 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ Knot Resolver 4.x.y (2019-08-dd)
 Bugfixes
 --------
 - rebinding module: fix handling some requests, respect ALLOW_LOCAL flag
+- fix incorrect SERVFAIL on cached bogus answer for +cd request (!860)
+  (regression since 4.1.0 release, in less common cases)
 
 
 Knot Resolver 4.2.0 (2019-08-05)

diff --git a/lib/resolve.c b/lib/resolve.c
index 6b411f770f671795e515031e31ca144a8bb79235..6ef20979a57661685eba46bbf7e14c52e428c3af 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -619,8 +619,10 @@ static void answer_finalize(struct kr_request *request)
        /* TODO: clean this up in !660 or followup, and it isn't foolproof anyway. */
        if (last->flags.DNSSEC_BOGUS
            || (rplan->pending.len > 0 && array_tail(rplan->pending)->flags.DNSSEC_BOGUS)) {
-               answer_fail(request);
-               return;
+               if (!knot_wire_get_cd(request->qsource.packet->wire)) {
+                       answer_fail(request);
+                       return;
+               }
        }
 
        /* AD flag.  We can only change `secure` from true to false.