From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Mon, 10 Apr 2017 17:30:55 +0000 (+0200)
Subject: resolve: fix AD flag for negative answers
X-Git-Tag: v1.3.0~23^2~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aeecc78032a06b9106adbf44e82e091ae961049a;p=thirdparty%2Fknot-resolver.git

resolve: fix AD flag for negative answers

This part of code still deserves better review.
It's a bit surprising that our current tests didn't discover it.

We incorrectly answered with AD in some cases, e.g. ntp.pool.org AAAA.
---

diff --git a/lib/resolve.c b/lib/resolve.c
index 7e751939a..21559213d 100644
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -608,6 +608,14 @@ static int answer_finalize(struct kr_request *request, int state)
 		ret = edns_put(answer);
 	}
 
+	/* AD: negative answers need more handling. */
+	if (kr_response_classify(answer) != PKT_NOERROR && last) {
+		const bool OK = (last->flags & QUERY_DNSSEC_WANT)
+			&& !(last->flags & (QUERY_DNSSEC_BOGUS | QUERY_DNSSEC_INSECURE));
+		if (!OK) {
+			secure = false;
+		}
+	}
 	/* Clear AD if not secure.  ATM answer has AD=1 if requested secured answer. */
 	if (!secure || state != KR_STATE_DONE
 	    || knot_pkt_qtype(answer) == KNOT_RRTYPE_RRSIG) {
diff --git a/tests/deckard b/tests/deckard
index b985a91d0..743603e0c 160000
--- a/tests/deckard
+++ b/tests/deckard
@@ -1 +1 @@
-Subproject commit b985a91d0e5f2f30d430d3fb4823f20f78661c70
+Subproject commit 743603e0ccd40fa1d0a97dfbc1e9ae963dda89f6