From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Mon, 12 Dec 2016 11:48:18 +0000 (+0100)
Subject: Merge branch 'master' into cd_processing
X-Git-Tag: v1.2.0-rc1~62^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1d4f79c4ff7bc91dc85d1c4ae7e46790b2428ac1;p=thirdparty%2Fknot-resolver.git

Merge branch 'master' into cd_processing

and fixup with DEBUG -> VERBOSE renames.
---

1d4f79c4ff7bc91dc85d1c4ae7e46790b2428ac1
diff --cc lib/layer/pktcache.c
index 7520636dd,41c3325a3..1dc67f664
--- a/lib/layer/pktcache.c
+++ b/lib/layer/pktcache.c
@@@ -122,10 -118,10 +122,10 @@@ static int pktcache_peek(kr_layer_t *ct
  
  	/* Fetch either answer to original or minimized query */
  	uint8_t flags = 0;
 -	struct kr_cache *cache = &ctx->req->ctx->cache;
 -	int ret = loot_pktcache(cache, pkt, qry, &flags);
 +	struct kr_cache *cache = &req->ctx->cache;
 +	int ret = loot_pktcache(cache, pkt, req, &flags);
  	if (ret == 0) {
- 		DEBUG_MSG(qry, "=> satisfied from cache\n");
+ 		VERBOSE_MSG(qry, "=> satisfied from cache\n");
  		qry->flags |= QUERY_CACHED|QUERY_NO_MINIMIZE;
  		if (flags & KR_CACHE_FLAG_WCARD_PROOF) {
  			qry->flags |= QUERY_DNSSEC_WEXPAND;
diff --cc lib/layer/rrcache.c
index 7488826e8,6bfda032a..fc7a3b6ce
--- a/lib/layer/rrcache.c
+++ b/lib/layer/rrcache.c
@@@ -338,9 -303,9 +338,9 @@@ static int stash_answer(struct kr_reque
  				/* Check if the same CNAME was already resolved */
  				if (next_cname) {
  					char key[KR_RRKEY_LEN];
 -					int ret = kr_rrkey(key, next_cname, rr->type, KR_RANK_AUTH);
 +					int ret = kr_rrkey(key, next_cname, rr->type, rank);
  					if (ret != 0 || map_get(stash, key)) {
- 						DEBUG_MSG(qry, "<= cname chain loop\n");
+ 						VERBOSE_MSG(qry, "<= cname chain loop\n");
  						next_cname = NULL;
  					}
  				}
diff --cc lib/layer/validate.c
index 21f16b0ae,4cfcb57d1..71177d768
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@@ -388,12 -388,23 +388,27 @@@ static int validate(kr_layer_t *ctx, kn
  	/* Pass-through if user doesn't want secure answer or stub. */
  	/* @todo: Validating stub resolver mode. */
  	if (!(qry->flags & QUERY_DNSSEC_WANT) || (qry->flags & QUERY_STUB)) {
+ 		/* Got validated insecure answer from cache
+ 		   Mark parent(s) as insecure */
+ 		if ((qry->flags & (QUERY_CACHED | QUERY_DNSSEC_INSECURE)) ==
+ 		    (QUERY_CACHED | QUERY_DNSSEC_INSECURE) &&
+ 		    qry->parent != NULL) {
+ 			/* if there is a chain of DS queries, mark all of them */
+ 			struct kr_query *parent = qry->parent;
+ 			do {
+ 				parent->flags &= ~QUERY_DNSSEC_WANT;
+ 				parent->flags |= QUERY_DNSSEC_INSECURE;
+ 				parent = parent->parent;
+ 			} while (parent && parent->stype == KNOT_RRTYPE_DS);
 -			DEBUG_MSG(qry, "<= cached insecure response, going insecure\n");
++			VERBOSE_MSG(qry, "<= cached insecure response, going insecure\n");
+ 			ctx->state = KR_STATE_DONE;
+ 		}
  		return ctx->state;
  	}
 +	/* Pass-through if CD bit is set. */
 +	if (knot_wire_get_cd(req->answer->wire)) {
 +		return ctx->state;
 +	}
  	/* Answer for RRSIG may not set DO=1, but all records MUST still validate. */
  	bool use_signatures = (knot_pkt_qtype(pkt) != KNOT_RRTYPE_RRSIG);
  	if (!(qry->flags & QUERY_CACHED) && !knot_pkt_has_dnssec(pkt) && !use_signatures) {
diff --cc lib/resolve.c
index 87b4567c3,78ae2a198..4cb2b7ee2
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@@ -725,17 -721,14 +725,17 @@@ static int trust_chain_check(struct kr_
  		qry->flags &= ~QUERY_DNSSEC_WANT;
  	}
  	/* Enable DNSSEC if enters a new island of trust. */
 -	bool want_secured = (qry->flags & QUERY_DNSSEC_WANT);
 -	if (!want_secured && kr_ta_get(trust_anchors, qry->zone_cut.name)) {
 +	bool want_secured = (qry->flags & QUERY_DNSSEC_WANT) &&
 +			    !knot_wire_get_cd(request->answer->wire);
 +	if (!(qry->flags & QUERY_DNSSEC_WANT) &&
 +	    !knot_wire_get_cd(request->answer->wire) &&
 +	    kr_ta_get(trust_anchors, qry->zone_cut.name)) {
  		qry->flags |= QUERY_DNSSEC_WANT;
  		want_secured = true;
- 		WITH_DEBUG {
+ 		WITH_VERBOSE {
  		char qname_str[KNOT_DNAME_MAXLEN];
  		knot_dname_to_str(qname_str, qry->zone_cut.name, sizeof(qname_str));
- 		DEBUG_MSG(qry, ">< TA: '%s'\n", qname_str);
+ 		VERBOSE_MSG(qry, ">< TA: '%s'\n", qname_str);
  		}
  	}
  	if (want_secured && !qry->zone_cut.trust_anchor) {