From: Grigorii Demidov Date: Thu, 15 Jun 2017 11:11:30 +0000 (+0200) Subject: layer/iterate: forwarding mode - treat CNAME'ed NS&DS answers as proof of zonecut... X-Git-Tag: v1.3.1~1^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=01bfc58e6b755fa5d2c0eba3cb6521d9c89fceb0;p=thirdparty%2Fknot-resolver.git layer/iterate: forwarding mode - treat CNAME'ed NS&DS answers as proof of zonecut nonexistance --- diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c index ef853df0b..11ae80d91 100644 --- a/lib/layer/iterate.c +++ b/lib/layer/iterate.c @@ -635,6 +635,12 @@ static int process_answer(knot_pkt_t *pkt, struct kr_request *req) if (state != kr_ok()) { return state; } + } else if ((query->flags & QUERY_FORWARD) && + ((query->stype == KNOT_RRTYPE_DS) || + (query->stype == KNOT_RRTYPE_NS))) { + /* CNAME'ed answer for DS or NS subquery. + * Treat it as proof of zonecut nonexistance. */ + return KR_STATE_DONE; } VERBOSE_MSG("<= cname chain, following\n"); /* Check if the same query was followed in the same CNAME chain. */ diff --git a/lib/resolve.c b/lib/resolve.c index 6902cbeb9..ac6f731c7 100644 --- a/lib/resolve.c +++ b/lib/resolve.c @@ -1044,6 +1044,10 @@ static int forward_trust_chain_check(struct kr_request *request, struct kr_query if (qry->flags & QUERY_DNSSEC_NODS) { nods = true; } + if (qry->flags & QUERY_CNAME) { + nods = true; + ns_req = true; + } if (!(q->flags & QUERY_DNSSEC_OPTOUT)) { int ret = kr_dnssec_matches_name_and_type(&request->auth_selected, q->uid, wanted_name, KNOT_RRTYPE_NS);