From 273fe41a2e5e4da03261c4a1de8218902ac210da Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Fri, 13 Sep 2019 19:18:55 +0200 Subject: [PATCH] lib/resolve answer_finalize: fix AD flag handling Resolves a FIXME, and this way of doing AD should be better/safer. (Lower likelihood of accidentally leaving it on in some situation.) GC test: the record is inserted manually with _SECURE rank but without signatures. I think it's better to return AD flag in that edge case. --- lib/resolve.c | 12 ++-- utils/cache_gc/test.integr/val_rrsig.rpl | 86 ++++++++++++------------ 2 files changed, 49 insertions(+), 49 deletions(-) diff --git a/lib/resolve.c b/lib/resolve.c index ba72dc402..53de0fa55 100644 --- a/lib/resolve.c +++ b/lib/resolve.c @@ -567,6 +567,7 @@ static void answer_finalize(struct kr_request *request) { struct kr_rplan *rplan = &request->rplan; knot_pkt_t *answer = request->answer; + const uint8_t *q_wire = request->qsource.packet->wire; if (answer->rrset_count != 0) { /* Non-standard: we assume the answer had been constructed. @@ -605,7 +606,7 @@ static void answer_finalize(struct kr_request *request) /* TODO: clean this up in !660 or followup, and it isn't foolproof anyway. */ if (last->flags.DNSSEC_BOGUS || (rplan->pending.len > 0 && array_tail(rplan->pending)->flags.DNSSEC_BOGUS)) { - if (!knot_wire_get_cd(request->qsource.packet->wire)) { + if (!knot_wire_get_cd(q_wire)) { answer_fail(request); return; } @@ -670,9 +671,10 @@ static void answer_finalize(struct kr_request *request) VERBOSE_MSG(last, "AD: request%s classified as SECURE\n", secure ? "" : " NOT"); request->rank = secure ? KR_RANK_SECURE : KR_RANK_INITIAL; - /* Clear AD if not secure. ATM answer has AD=1 if requested secured answer. */ - if (!secure) { - knot_wire_clear_ad(answer->wire); + /* Set AD if secure and AD bit "was requested". */ + if (secure && !knot_wire_get_cd(q_wire) + && (knot_pkt_has_dnssec(answer) || knot_wire_get_ad(q_wire))) { + knot_wire_set_ad(answer->wire); } } @@ -811,8 +813,6 @@ knot_pkt_t * kr_request_ensure_answer(struct kr_request *request) knot_wire_set_rcode(wire, KNOT_RCODE_NOERROR); if (knot_wire_get_cd(qs_pkt->wire)) { knot_wire_set_cd(wire); - } else if (request->current_query && request->current_query->flags.DNSSEC_WANT) { // FIXME: ugly - knot_wire_set_ad(wire); } // Prepare EDNS if required. diff --git a/utils/cache_gc/test.integr/val_rrsig.rpl b/utils/cache_gc/test.integr/val_rrsig.rpl index 28c77ac3c..22002b783 100644 --- a/utils/cache_gc/test.integr/val_rrsig.rpl +++ b/utils/cache_gc/test.integr/val_rrsig.rpl @@ -13,7 +13,7 @@ ENTRY_END STEP 2 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -30,7 +30,7 @@ ENTRY_END STEP 4 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -47,7 +47,7 @@ ENTRY_END STEP 6 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -64,7 +64,7 @@ ENTRY_END STEP 8 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -81,7 +81,7 @@ ENTRY_END STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -98,7 +98,7 @@ ENTRY_END STEP 12 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -115,7 +115,7 @@ ENTRY_END STEP 14 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -132,7 +132,7 @@ ENTRY_END STEP 16 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -149,7 +149,7 @@ ENTRY_END STEP 18 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -166,7 +166,7 @@ ENTRY_END STEP 20 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -183,7 +183,7 @@ ENTRY_END STEP 22 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -200,7 +200,7 @@ ENTRY_END STEP 24 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -217,7 +217,7 @@ ENTRY_END STEP 26 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -234,7 +234,7 @@ ENTRY_END STEP 28 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -251,7 +251,7 @@ ENTRY_END STEP 30 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -268,7 +268,7 @@ ENTRY_END STEP 32 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -285,7 +285,7 @@ ENTRY_END STEP 34 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -302,7 +302,7 @@ ENTRY_END STEP 36 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -319,7 +319,7 @@ ENTRY_END STEP 38 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -336,7 +336,7 @@ ENTRY_END STEP 40 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -353,7 +353,7 @@ ENTRY_END STEP 42 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -370,7 +370,7 @@ ENTRY_END STEP 44 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -387,7 +387,7 @@ ENTRY_END STEP 46 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -404,7 +404,7 @@ ENTRY_END STEP 48 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -421,7 +421,7 @@ ENTRY_END STEP 50 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -438,7 +438,7 @@ ENTRY_END STEP 52 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -455,7 +455,7 @@ ENTRY_END STEP 54 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -472,7 +472,7 @@ ENTRY_END STEP 56 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -489,7 +489,7 @@ ENTRY_END STEP 58 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -506,7 +506,7 @@ ENTRY_END STEP 60 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -523,7 +523,7 @@ ENTRY_END STEP 62 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -540,7 +540,7 @@ ENTRY_END STEP 64 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -557,7 +557,7 @@ ENTRY_END STEP 66 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -574,7 +574,7 @@ ENTRY_END STEP 68 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -591,7 +591,7 @@ ENTRY_END STEP 70 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -608,7 +608,7 @@ ENTRY_END STEP 72 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -625,7 +625,7 @@ ENTRY_END STEP 74 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -642,7 +642,7 @@ ENTRY_END STEP 76 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -659,7 +659,7 @@ ENTRY_END STEP 78 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -676,7 +676,7 @@ ENTRY_END STEP 80 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -693,7 +693,7 @@ ENTRY_END STEP 82 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -710,7 +710,7 @@ ENTRY_END STEP 84 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER @@ -727,7 +727,7 @@ ENTRY_END STEP 86 CHECK_ANSWER ENTRY_BEGIN MATCH opcode rcode flags question answer -REPLY QR RD RA DO NOERROR +REPLY QR RD RA AD DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER -- 2.47.2