From: Marek Vavruša <marek.vavrusa@nic.cz>
Date: Sun, 4 Oct 2015 19:24:46 +0000 (+0200)
Subject: lib/resolve: cached names below cut are treated insecure
X-Git-Tag: v1.0.0-beta1~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=01ec28f4884f6a458fce7ddcd7d4547cbfba775f;p=thirdparty%2Fknot-resolver.git

lib/resolve: cached names below cut are treated insecure
---

diff --git a/lib/resolve.c b/lib/resolve.c
index 96ec791d1..f2f13e5a6 100644
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -270,8 +270,10 @@ static int resolve_query(struct kr_request *request, const knot_pkt_t *packet)
 	/* Deferred zone cut lookup for this query. */
 	qry->flags |= QUERY_AWAIT_CUT;
 	/* Want DNSSEC if it's posible to secure this name (e.g. is covered by any TA) */
+	map_t *negative_anchors = &request->ctx->negative_anchors;
 	map_t *trust_anchors = &request->ctx->trust_anchors;
-	if (knot_pkt_has_dnssec(packet) && kr_ta_covers(trust_anchors, qname)) {
+	if (knot_pkt_has_dnssec(packet) &&
+	    kr_ta_covers(trust_anchors, qname) && !kr_ta_covers(negative_anchors, qname)) {
 		qry->flags |= QUERY_DNSSEC_WANT;
 	}