From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Wed, 1 Feb 2017 14:08:26 +0000 (+0100)
Subject: pktcache: fix mixup of BOGUS and INSECURE DNSSEC
X-Git-Tag: v1.2.1~3^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=72e10ad1eee089896cc7e9af37f2380271bc682e;p=thirdparty%2Fknot-resolver.git

pktcache: fix mixup of BOGUS and INSECURE DNSSEC

A negative answer cached from a +cd query could be mistakenly used
even for a later query without +cd.
---

diff --git a/lib/layer/pktcache.c b/lib/layer/pktcache.c
index b8a6d0585..861e47cba 100644
--- a/lib/layer/pktcache.c
+++ b/lib/layer/pktcache.c
@@ -54,8 +54,6 @@ static int loot_pktcache(struct kr_cache *cache, knot_pkt_t *pkt,
 	uint32_t timestamp = qry->timestamp.tv_sec;
 	const knot_dname_t *qname = qry->sname;
 	uint16_t rrtype = qry->stype;
-	const bool want_secure = (qry->flags & QUERY_DNSSEC_WANT) &&
-				 !knot_wire_get_cd(req->answer->wire);
 
 	struct kr_cache_entry *entry = NULL;
 	int ret = kr_cache_peek(cache, KR_CACHE_PKT, qname,
@@ -65,12 +63,12 @@ static int loot_pktcache(struct kr_cache *cache, knot_pkt_t *pkt,
 	}
 
 	/* Check that we have secure rank. */
-	if (want_secure && entry->rank == KR_RANK_BAD) {
+	if (!knot_wire_get_cd(req->answer->wire) && entry->rank == KR_RANK_BAD) {
 		return kr_error(ENOENT);
 	}
 
 	/* Check if entry is insecure and setup query flags if needed. */
-	if (want_secure && entry->rank == KR_RANK_INSECURE) {
+	if ((qry->flags & QUERY_DNSSEC_WANT) && entry->rank == KR_RANK_INSECURE) {
 		qry->flags |= QUERY_DNSSEC_INSECURE;
 		qry->flags &= ~QUERY_DNSSEC_WANT;
 	}