From: menakite <29005531+menakite@users.noreply.github.com>
Date: Sun, 1 Sep 2024 18:56:44 +0000 (+0200)
Subject: validator: fix after fac462e163a2614e24d2c604a9b120b949796a72.
X-Git-Tag: v6.0.9~21^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ca37a0e312bd61b78f5334c8086967449a178a4;p=thirdparty%2Fknot-resolver.git

validator: fix after fac462e163a2614e24d2c604a9b120b949796a72.

See:
  https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1590#note_304380
---

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 1a871b446..321b0a254 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -1415,6 +1415,13 @@ static int validate_finalize(kr_layer_t *ctx) {
 	/* Clear DNSSEC-related Extended Error in case the request managed to succeed somehow. */
 	if (ctx->state == KR_STATE_DONE) {
 		switch (ctx->req->extended_error.info_code) {
+		case KNOT_EDNS_EDE_DNSKEY_ALG:
+		case KNOT_EDNS_EDE_DS_DIGEST:
+		case KNOT_EDNS_EDE_NSEC3_ITERS: ;
+			/* These EDEs are meant to result into _INSECURE success. */
+			const struct kr_query *qry = kr_rplan_resolved(&ctx->req->rplan);
+			if (qry->flags.DNSSEC_INSECURE)
+				break;
 		case KNOT_EDNS_EDE_BOGUS:
 		case KNOT_EDNS_EDE_NSEC_MISS:
 		case KNOT_EDNS_EDE_RRSIG_MISS:
@@ -1422,8 +1429,6 @@ static int validate_finalize(kr_layer_t *ctx) {
 		case KNOT_EDNS_EDE_EXPIRED_INV:
 		case KNOT_EDNS_EDE_SIG_NOTYET:
 		case KNOT_EDNS_EDE_DNSKEY_BIT:
-		case KNOT_EDNS_EDE_DNSKEY_ALG:
-		case KNOT_EDNS_EDE_DS_DIGEST:
 		case KNOT_EDNS_EDE_DNSKEY_MISS:
 			kr_request_set_extended_error(ctx->req, KNOT_EDNS_EDE_NONE, NULL);
 			break;