From: Marek Vavruša <marek.vavrusa@nic.cz>
Date: Thu, 10 Dec 2015 23:53:35 +0000 (+0100)
Subject: layer/iterate: fail answers with NSs outside bailiwick immediately
X-Git-Tag: v1.0.0-beta3~30
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=378672e49b06b7fcbadd9eaa10034563609b7172;p=thirdparty%2Fknot-resolver.git

layer/iterate: fail answers with NSs outside bailiwick immediately
---

diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index 7e88885f1..69ec3714c 100644
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -222,8 +222,8 @@ static int update_cut(knot_pkt_t *pkt, const knot_rrset_t *rr, struct kr_request
 	/* Authority MUST be at/below the authority of the nameserver, otherwise
 	 * possible cache injection attempt. */
 	if (!knot_dname_in(cut->name, rr->owner)) {
-		DEBUG_MSG("<= authority: ns outside bailiwick, ignoring\n");
-		return state;
+		DEBUG_MSG("<= authority: ns outside bailiwick, failing\n");
+		return KNOT_STATE_FAIL;
 	}
 
 	/* Update zone cut name */