From: Marek Vavruša <mvavrusa@cloudflare.com>
Date: Sun, 8 Apr 2018 01:37:55 +0000 (-0700)
Subject: iterate: update zone cut when NS is authoritative for both parent and child
X-Git-Tag: v2.3.0~19^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=614d12a59a34f9cf3c39b722d0d7023af239f899;p=thirdparty%2Fknot-resolver.git

iterate: update zone cut when NS is authoritative for both parent and child

In some cases the NS is authoritative for both parent and the child side of
the delegation (e.g. nrl.navy.mil). When it gets the query for such NS,
it can respond from the child side with an NS record in the answer and AA=1.
The resolver should update the zone cut accordingly, otherwise it would fail
validation in cases when the child-side of the delegation is insecure,
but parent side  of the delegation is secure, because the child side
would respond without DNSSEC records, and it wouldn't indicate that
the zone cut needs updating (when using minimal answers) (e.g. www.nrl.navy.mil).
---

diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index a4bd12e43..debfe7d22 100644
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -427,6 +427,19 @@ static int process_authority(knot_pkt_t *pkt, struct kr_request *req)
 		}
 	}
 
+	/* Nameserver is authoritative for both parent side and the child side of the
+	 * delegation may respond with an NS record in the answer section, and still update
+	 * the zone cut (e.g. what a.gtld-servers.net would respond for `com NS`) */
+	if (!ns_record_exists && knot_wire_get_aa(pkt->wire)) {
+		for (unsigned i = 0; i < an->count; ++i) {
+			const knot_rrset_t *rr = knot_pkt_rr(an, i);
+			if (rr->type == KNOT_RRTYPE_NS && knot_dname_is_sub(rr->owner, qry->zone_cut.name)) {
+				/* NS below cut in authority indicates different authority, but same NS set. */
+				qry->zone_cut.name = knot_dname_copy(rr->owner, &req->pool);
+			}
+		}
+	}
+
 	if (glue_cnt) {
 		VERBOSE_MSG("<= loaded %d glue addresses\n", glue_cnt);
 	}