From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 14 Feb 2017 18:25:47 +0000 (+0100)
Subject: resolved: automatically downgrade reply bits on send
X-Git-Tag: v233~76^2~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=941dd294507e1def8fd5e59c5bc3e3ed2b27b6b0;p=thirdparty%2Fsystemd.git

resolved: automatically downgrade reply bits on send

Doesn't really change anything, but makes things a bit simpler to read.
---

diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c
index 7d43825960e..12936bc0158 100644
--- a/src/resolve/resolved-dns-stub.c
+++ b/src/resolve/resolved-dns-stub.c
@@ -94,9 +94,18 @@ static int dns_stub_finish_reply_packet(
 
         assert(p);
 
-        /* If the client didn't do EDNS, clamp the rcode to 4 bit */
-        if (!add_opt && rcode > 0xF)
-                rcode = DNS_RCODE_SERVFAIL;
+        if (!add_opt) {
+                /* If the client can't to EDNS0, don't do DO either */
+                edns0_do = false;
+
+                /* If the client didn't do EDNS, clamp the rcode to 4 bit */
+                if (rcode > 0xF)
+                        rcode = DNS_RCODE_SERVFAIL;
+        }
+
+        /* Don't set the AD bit unless DO is on, too */
+        if (!edns0_do)
+                ad = false;
 
         DNS_PACKET_HEADER(p)->id = id;
 
@@ -214,7 +223,7 @@ static void dns_stub_query_complete(DnsQuery *q) {
                                 q->answer_rcode,
                                 !!q->request_dns_packet->opt,
                                 DNS_PACKET_DO(q->request_dns_packet),
-                                DNS_PACKET_DO(q->request_dns_packet) && dns_query_fully_authenticated(q));
+                                dns_query_fully_authenticated(q));
                 if (r < 0) {
                         log_debug_errno(r, "Failed to finish reply packet: %m");
                         break;