From: menakite <29005531+menakite@users.noreply.github.com>
Date: Thu, 29 Aug 2024 03:55:28 +0000 (+0200)
Subject: resolver: don't set AD if both Answer and Authority are empty.
X-Git-Tag: v6.1.0~7^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3f9218e729ab879976ff762eff3e14f99d4d52c3;p=thirdparty%2Fknot-resolver.git

resolver: don't set AD if both Answer and Authority are empty.

Fixes #914 (nord module: AD=1 is no good)
---

diff --git a/NEWS b/NEWS
index 2b2f13e82..7880babfe 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ Improvements:
 - logging: improved logging groups (!1768)
 - support libdnssec merged into libknot, as planned for knot >= 3.6 (!1769)
 - support cmocka 2.0.0 (!1772)
+- avoid AD=1 in reply if ANSWER+AUTHORITY are empty (#914, !1779)
 
 Bugfixes
 --------
diff --git a/lib/resolve.c b/lib/resolve.c
index bc00471bc..7426e1ac9 100644
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -394,6 +394,12 @@ static void answer_finalize(struct kr_request *request)
 		return;
 	}
 
+	if (knot_wire_get_ancount(answer->wire) == 0 && knot_wire_get_nscount(answer->wire) == 0) {
+		/* Let's disable AD flag if the set of RRs covered by it is empty,
+		 * though it seems unclear to vcunat what RFCs say about that special case. */
+		secure = false;
+	}
+
 	/* AD: "negative answers" need more handling. */
 	if (kr_response_classify(answer) != PKT_NOERROR
 	    /* Additionally check for CNAME chains that "end in NODATA",
diff --git a/modules/refuse_nord/refuse_nord.c b/modules/refuse_nord/refuse_nord.c
index 607ff6144..f5171e6ca 100644
--- a/modules/refuse_nord/refuse_nord.c
+++ b/modules/refuse_nord/refuse_nord.c
@@ -20,7 +20,6 @@ static int refuse_nord_query(kr_layer_t *ctx)
 	if (!answer)
 		return ctx->state;
 	knot_wire_set_rcode(answer->wire, KNOT_RCODE_REFUSED);
-	knot_wire_clear_ad(answer->wire);
 	kr_request_set_extended_error(req, KNOT_EDNS_EDE_NOTAUTH, "ABC4");
 	ctx->state = KR_STATE_DONE;
 	return ctx->state;