From: Marek Vavrusa <marek@vavrusa.com>
Date: Mon, 8 Feb 2016 01:36:48 +0000 (+0000)
Subject: lib/validate: scrubbed extra rrs in NS were checked
X-Git-Tag: v1.0.0~63
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=78cb3f079c3d779bcf447a1668e87635a1584420;p=thirdparty%2Fknot-resolver.git

lib/validate: scrubbed extra rrs in NS were checked

the validator module should ignore any data that
will be scrubbed, that includes non-authoritative
data outside current bailiwick. previously,
validator attempted to ignore these records only
for answer section and had a special case for NS
records.

cache: non-authoritative NS records are always
unchecked and must be treated as insecure

affected: www.iana.org trying to provide
delegation information for CNAME target, which is
moot with CNAME target explicit-fetch policy unless
the the resolver already knows DNSKEY with which
is could verify the records
---

diff --git a/lib/layer/rrcache.c b/lib/layer/rrcache.c
index ca5bdedf1..d254d9afc 100644
--- a/lib/layer/rrcache.c
+++ b/lib/layer/rrcache.c
@@ -177,10 +177,15 @@ static int commit_rr(const char *key, void *val, void *data)
 
 	/* Save RRSIG in a special cache. */
 	uint16_t rank = KEY_FLAG_RANK(key);
-	if (baton->qry->flags & QUERY_DNSSEC_WANT)
-		rank |= KR_RANK_SECURE;
-	if (baton->qry->flags & QUERY_DNSSEC_INSECURE)
-		rank |= KR_RANK_INSECURE;
+	/* Non-authoritative NSs should never be trusted,
+	 * it may be present in an otherwise secure answer but it
+	 * is only a hint for local state. */
+	if (rr->type != KNOT_RRTYPE_NS || (rank & KR_RANK_AUTH)) {
+	 	if (baton->qry->flags & QUERY_DNSSEC_WANT)
+			rank |= KR_RANK_SECURE;
+		if (baton->qry->flags & QUERY_DNSSEC_INSECURE)
+			rank |= KR_RANK_INSECURE;
+	}
 	if (KEY_COVERING_RRSIG(key)) {
 		return commit_rrsig(baton, rank, rr);
 	}
diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index a516c6f9a..453a00caf 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -125,7 +125,7 @@ static int validate_section(struct kr_query *qry, knot_pkt_t *answer,
 			continue;
 		}
 		/* Only validate answers from current cut, records above the cut are stripped. */
-		if (section_id == KNOT_ANSWER && !knot_dname_in(qry->zone_cut.name, rr->owner)) {
+		if (!knot_dname_in(qry->zone_cut.name, rr->owner)) {
 			continue;
 		}
 		ret = kr_rrmap_add(&stash, rr, 0, pool);
diff --git a/tests/deckard b/tests/deckard
index 7d8a8ce66..866b7b95c 160000
--- a/tests/deckard
+++ b/tests/deckard
@@ -1 +1 @@
-Subproject commit 7d8a8ce66e41c4ffa2ebf1edc3839494873855c1
+Subproject commit 866b7b95ce7355d112b9e47504825c31c6fcb27a