From: Mark Andrews <marka@isc.org>
Date: Fri, 22 Aug 2014 05:45:40 +0000 (+1000)
Subject: 3921.   [bug]           AD was inappopriately set on RPZ responses. [RT #36833]
X-Git-Tag: v9.8.8rc1~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=53837cbbb1c9b37e6c8fdfa07d740d52202deb77;p=thirdparty%2Fbind9.git

3921.   [bug]           AD was inappopriately set on RPZ responses. [RT #36833]

(cherry picked from commit cef76ee5bd845a80e06da934edce4225bdba22a1)
(cherry picked from commit 0597c5fd5ebeb2dda9dfefc2327321642eb23c2d)
---

diff --git a/CHANGES b/CHANGES
index dd1fc43fe31..28755cd24ef 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+3921.	[bug]		AD was inappopriately set on RPZ responses. [RT #36833]
+
 3919.	[bug]		dig: continue to next line if a address lookup fails
 			in batch mode. [RT #36755]
 			
diff --git a/bin/named/query.c b/bin/named/query.c
index 5272ef9adb0..85ca3a72a9f 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -4868,7 +4868,7 @@ rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
 	 * response policy zone cannot verify.
 	 */
 	client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
-				DNS_MESSAGEFLAG_AD);
+				NS_CLIENTATTR_WANTAD);
 	return (ISC_R_SUCCESS);
 }
 
@@ -5807,7 +5807,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			 * response policy zone cannot verify.
 			 */
 			client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
-						DNS_MESSAGEFLAG_AD);
+						NS_CLIENTATTR_WANTAD);
+			client->message->flags &= ~DNS_MESSAGEFLAG_AD;
 			query_putrdataset(client, &sigrdataset);
 			rpz_st->q.is_zone = is_zone;
 			is_zone = ISC_TRUE;
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 0443e5597c5..3a1fe922b5f 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -181,6 +181,11 @@ clean_result () {
 # $1=dig args $2=other dig output file
 ckresult () {
     #ckalive "$1" "I:server crashed by 'dig $1'" || return 1
+    if grep "flags:.* aa .*ad;" $DIGNM; then
+	setret "I:'dig $1' AA and AD set;"
+    elif grep "flags:.* aa .*ad;" $DIGNM; then
+	setret "I:'dig $1' AD set;"
+    fi
     if $PERL $SYSTEMTESTTOP/digcomp.pl $DIGNM $2 >/dev/null; then
 	clean_result ${DIGNM}*
 	return 0