From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Mon, 9 Apr 2018 13:01:48 +0000 (+0200)
Subject: validate: avoid DNSSEC_NODS for . DS queries
X-Git-Tag: v2.3.0~13^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3c2e9cfe94b082d9f1d6f882e5f0a2a9473038c1;p=thirdparty%2Fknot-resolver.git

validate: avoid DNSSEC_NODS for . DS queries

... after the parent commit. Perhaps it can't cause trouble,
but I'll feel safer this way.
---

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 7f5e69659..38cd169f4 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -414,7 +414,7 @@ static int update_delegation(struct kr_request *req, struct kr_query *qry, knot_
 		} else if (ret != 0) {
 			VERBOSE_MSG(qry, "<= bogus proof of DS non-existence\n");
 			qry->flags.DNSSEC_BOGUS = true;
-		} else {
+		} else if (proved_name[0] != '\0') { /* don't go to insecure for . DS */
 			VERBOSE_MSG(qry, "<= DS doesn't exist, going insecure\n");
 			qry->flags.DNSSEC_NODS = true;
 			/* Rank the corresponding nonauth NS as insecure. */