lib/resolve: bugfixes for forwarding mode

unecessary queries in some circumstances; some minor bugfixes

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 66e16f08cf27a24f56a70fc0d0f85f69b6917648..0fa41ab90f3175a1ab52c87f191b25e7ca462e7c 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -316,7 +316,7 @@ static int update_parent_keys(struct kr_request *req, uint16_t answer_type)
                                        mark_insecure_parents(qry);
                                }
                        }
-               } else if ((qry->flags & (QUERY_DNSSEC_NODS | QUERY_FORWARD | QUERY_DNSSEC_OPTOUT)) ==
+               } else if ((qry->flags & (QUERY_DNSSEC_NODS | QUERY_FORWARD)) ==
                           (QUERY_DNSSEC_NODS | QUERY_FORWARD)) {
                        int ret = kr_dnssec_matches_name_and_type(&req->auth_selected, qry->uid,
                                                                  qry->sname, KNOT_RRTYPE_NS);

diff --git a/lib/resolve.c b/lib/resolve.c
index ac6f731c7ac1672fcb413685d3ef89f63412c33a..3b2c008c797d49b0757a506224b6fe88b187577f 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -1007,10 +1007,6 @@ static int forward_trust_chain_check(struct kr_request *request, struct kr_query
                return KR_STATE_DONE;
        }
 
-       if (qry->parent == NULL && (qry->flags & QUERY_CNAME)) {
-               return KR_STATE_PRODUCE;
-       }
-
        bool nods = false;
        bool ds_req = false;
        bool ns_req = false;
@@ -1041,19 +1037,22 @@ static int forward_trust_chain_check(struct kr_request *request, struct kr_query
                            knot_dname_is_equal(q->sname, wanted_name)) {
                                if (q->stype == KNOT_RRTYPE_DS) {
                                        ds_req = true;
-                                       if (qry->flags & QUERY_DNSSEC_NODS) {
+                                       if (q->flags & QUERY_DNSSEC_NODS) {
                                                nods = true;
                                        }
-                                       if (qry->flags & QUERY_CNAME) {
+                                       if (q->flags & QUERY_CNAME) {
                                                nods = true;
-                                               ns_req = true;
-                                       }
-                                       if (!(q->flags & QUERY_DNSSEC_OPTOUT)) {
+                                               ns_exist = false;
+                                       } else if (!(q->flags & QUERY_DNSSEC_OPTOUT)) {
                                                int ret = kr_dnssec_matches_name_and_type(&request->auth_selected, q->uid,
                                                                                          wanted_name, KNOT_RRTYPE_NS);
                                                ns_exist = (ret == kr_ok());
                                        }
                                } else {
+                                       if (q->flags & QUERY_CNAME) {
+                                               nods = true;
+                                               ns_exist = false;
+                                       }
                                        ns_req = true;
                                }
                        }
@@ -1068,6 +1067,11 @@ static int forward_trust_chain_check(struct kr_request *request, struct kr_query
                        return KR_STATE_DONE;
                }
 
+               if (qry->parent == NULL && (qry->flags & QUERY_CNAME) &&
+                   ds_req && ns_req) {
+                       return KR_STATE_PRODUCE;
+               }
+
                if ((qry->stype == KNOT_RRTYPE_DS) &&
                    knot_dname_is_equal(wanted_name, qry->sname)) {
                        nods = true;