From: Grigorii Demidov <grigorii.demidov@nic.cz>
Date: Wed, 2 Aug 2017 16:13:49 +0000 (+0200)
Subject: layer/iterate: remove counter-productive validation
X-Git-Tag: v1.3.3~5^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6fc991ae9ebca4f346525df6656407dd3ad1f651;p=thirdparty%2Fknot-resolver.git

layer/iterate: remove counter-productive validation

... functionality from iterator: don't fail immediately if actual number
of labels in owner name exceeds number in label field of RRSIG rrset
---

diff --git a/NEWS b/NEWS
index f7a4cd622..185173f89 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,10 @@
 Knot Resolver 1.3.3 (2017-0_-__)
 ================================
 
+Bugfixes
+--------
+- iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL
+
 Improvements
 ------------
 - policy: implement remaining special-use domain names from RFC6761 (#205),
diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index b8ce5d01a..0efccbb74 100644
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -465,7 +465,10 @@ static int unroll_cname(knot_pkt_t *pkt, struct kr_request *req, bool referral,
 			if (rr->type == KNOT_RRTYPE_RRSIG) {
 				int rrsig_labels = knot_rrsig_labels(&rr->rrs, 0);
 				if (rrsig_labels > cname_labels) {
-					return KR_STATE_FAIL;
+					/* clearly wrong RRSIG, don't pick it.
+					 * don't fail immediately,
+					 * let validator work. */
+					continue;
 				}
 				if (rrsig_labels < cname_labels) {
 					query->flags |= QUERY_DNSSEC_WEXPAND;