From: Vladimír Čunát Date: Wed, 14 Aug 2019 08:48:46 +0000 (+0200) Subject: lib/resolve answer_finalize: don't SERVFAIL bogus +cd X-Git-Tag: v4.2.1~9^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e80fb5e6834241d292706480acb25b28fe04aca2;p=thirdparty%2Fknot-resolver.git lib/resolve answer_finalize: don't SERVFAIL bogus +cd As kresd works now, typically we do not know whether these records are bogus, as with +cd we do not attempt validation. Still, it's possible that we have those records in cache from an occasion without +cd, in which case we know they're bogus and this regression happened. The potential impact of this issue seems minimal. --- diff --git a/NEWS b/NEWS index 0575bad69..b1c2ab83e 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,8 @@ Knot Resolver 4.x.y (2019-08-dd) Bugfixes -------- - rebinding module: fix handling some requests, respect ALLOW_LOCAL flag +- fix incorrect SERVFAIL on cached bogus answer for +cd request (!860) + (regression since 4.1.0 release, in less common cases) Knot Resolver 4.2.0 (2019-08-05) diff --git a/lib/resolve.c b/lib/resolve.c index 6b411f770..6ef20979a 100644 --- a/lib/resolve.c +++ b/lib/resolve.c @@ -619,8 +619,10 @@ static void answer_finalize(struct kr_request *request) /* TODO: clean this up in !660 or followup, and it isn't foolproof anyway. */ if (last->flags.DNSSEC_BOGUS || (rplan->pending.len > 0 && array_tail(rplan->pending)->flags.DNSSEC_BOGUS)) { - answer_fail(request); - return; + if (!knot_wire_get_cd(request->qsource.packet->wire)) { + answer_fail(request); + return; + } } /* AD flag. We can only change `secure` from true to false.