From: Grigorii Demidov <grigorii.demidov@nic.cz>
Date: Thu, 13 Apr 2017 09:15:32 +0000 (+0200)
Subject: dnssec/nsec3: don't set AD flag in properly signed wildcard nodata answer
X-Git-Tag: v1.2.6~7^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1478e23d5d74639699174002fe402e2fc54f862f;p=thirdparty%2Fknot-resolver.git

dnssec/nsec3: don't set AD flag in properly signed wildcard nodata answer
---

diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
index 34ddd7459..5a201353e 100644
--- a/lib/dnssec/nsec3.c
+++ b/lib/dnssec/nsec3.c
@@ -702,6 +702,14 @@ int kr_nsec3_no_data(const knot_pkt_t *pkt, knot_section_t section_id,
 	                                         encloser_name, stype);
 	if (ret == 0) {
 		/* Satisfies RFC5155 8.7 */
+		if (has_optout(covering_next_nsec3)) {
+			/* Opt-out is detected.
+			 * Despite the fact that all records
+			 * in the packet can be properly signed,
+			 * AD bit must not be set due to rfc5155 9.2.
+			 * Return appropriate code to the caller */
+			ret = kr_error(DNSSEC_OUT_OF_RANGE);
+		}
 		return ret;
 	}
 
@@ -719,7 +727,7 @@ int kr_nsec3_no_data(const knot_pkt_t *pkt, knot_section_t section_id,
 		 */
 		ret = kr_error(DNSSEC_OUT_OF_RANGE);
 	}
-	
+
 	return ret;
 }
 
diff --git a/tests/deckard b/tests/deckard
index b985a91d0..a53c2d202 160000
--- a/tests/deckard
+++ b/tests/deckard
@@ -1 +1 @@
-Subproject commit b985a91d0e5f2f30d430d3fb4823f20f78661c70
+Subproject commit a53c2d202002f6c53451ea7bbd41cb925e08a713