From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Thu, 13 Apr 2017 12:40:29 +0000 (+0200)
Subject: iterate: don't inherit _INSECURE on CNAME jumps
X-Git-Tag: v1.3.0~23^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e14eebecde3390ec41948b531e99525e1c9fd1df;p=thirdparty%2Fknot-resolver.git

iterate: don't inherit _INSECURE on CNAME jumps

The jump may lead to secure zone, so let the sub-query find out by
itself.  Otherwise we might cache those RRs with INSECURE rank even
though they are secure.  This shouldn't harm AD flags anymore.
---

diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index a2e9cd178..7e45e8a08 100644
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -644,13 +644,13 @@ static int process_answer(knot_pkt_t *pkt, struct kr_request *req)
 			return KR_STATE_FAIL;
 		}
 		next->flags |= QUERY_AWAIT_CUT;
-		if (query->flags & QUERY_DNSSEC_INSECURE) {
-			next->flags &= ~QUERY_DNSSEC_WANT;
-			next->flags |= QUERY_DNSSEC_INSECURE;
-		} else if (kr_ta_covers_qry(req->ctx, cname, query->stype)) {
-			/* Want DNSSEC if it's posible to secure
-			 * this name (e.g. is covered by any TA) */
+
+		/* Want DNSSEC if and only if it's posible to secure
+		 * this name (i.e. iff it is covered by a TA) */
+		if (kr_ta_covers_qry(req->ctx, cname, query->stype)) {
 			next->flags |= QUERY_DNSSEC_WANT;
+		} else {
+			next->flags &= ~QUERY_DNSSEC_WANT;
 		}
 		state = pick_authority(pkt, req, false);
 		if (state != kr_ok()) {