From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Thu, 6 May 2021 15:45:51 +0000 (+0200)
Subject: validator: improve NTA precision
X-Git-Tag: v5.4.0~20^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b79176822a78cf345ce789d6160fc79b2c3aa975;p=thirdparty%2Fknot-resolver.git

validator: improve NTA precision
---

diff --git a/NEWS b/NEWS
index 26fab1e82..bfe94176b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+Knot Resolver 5.x.y (2021-0m-dd)
+================================
+
+Bugfixes
+--------
+- trust_anchors.set_insecure: improve precision (#673, !1177)
+
+
 Knot Resolver 5.3.2 (2021-05-05)
 ================================
 
diff --git a/lib/dnssec/ta.h b/lib/dnssec/ta.h
index f8fc93a0a..40094a8b3 100644
--- a/lib/dnssec/ta.h
+++ b/lib/dnssec/ta.h
@@ -4,6 +4,7 @@
 
 #pragma once
 
+#include "lib/defines.h"
 #include "lib/generic/map.h"
 #include <libknot/rrset.h>
 
diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index cf5c88a1e..cdcf97f23 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -16,6 +16,7 @@
 
 #include "lib/dnssec/nsec.h"
 #include "lib/dnssec/nsec3.h"
+#include "lib/dnssec/ta.h"
 #include "lib/dnssec.h"
 #include "lib/layer.h"
 #include "lib/resolve.h"
@@ -169,6 +170,13 @@ static int validate_section(kr_rrset_validation_ctx_t *vctx, struct kr_query *qr
 			continue; /* these are already OK */
 		}
 
+		if (!knot_dname_is_equal(qry->zone_cut.name, rr->owner)/*optim.*/
+		    && !kr_ta_covers_qry(qry->request->ctx, rr->owner, rr->type)) {
+			/* We have NTA "between" our (perceived) zone cut and the RR. */
+			kr_rank_set(&entry->rank, KR_RANK_INSECURE);
+			continue;
+		}
+
 		if (rr->type == KNOT_RRTYPE_RRSIG) {
 			const knot_dname_t *signer_name = knot_rrsig_signer_name(rr->rrs.rdata);
 			if (!knot_dname_is_equal(vctx->zone_name, signer_name)) {