From 6fc991ae9ebca4f346525df6656407dd3ad1f651 Mon Sep 17 00:00:00 2001
From: Grigorii Demidov <grigorii.demidov@nic.cz>
Date: Wed, 2 Aug 2017 18:13:49 +0200
Subject: [PATCH] layer/iterate: remove counter-productive validation

... functionality from iterator: don't fail immediately if actual number
of labels in owner name exceeds number in label field of RRSIG rrset
---
 NEWS                | 4 ++++
 lib/layer/iterate.c | 5 ++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index f7a4cd622..185173f89 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,10 @@
 Knot Resolver 1.3.3 (2017-0_-__)
 ================================
 
+Bugfixes
+--------
+- iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL
+
 Improvements
 ------------
 - policy: implement remaining special-use domain names from RFC6761 (#205),
diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index b8ce5d01a..0efccbb74 100644
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -465,7 +465,10 @@ static int unroll_cname(knot_pkt_t *pkt, struct kr_request *req, bool referral,
 			if (rr->type == KNOT_RRTYPE_RRSIG) {
 				int rrsig_labels = knot_rrsig_labels(&rr->rrs, 0);
 				if (rrsig_labels > cname_labels) {
-					return KR_STATE_FAIL;
+					/* clearly wrong RRSIG, don't pick it.
+					 * don't fail immediately,
+					 * let validator work. */
+					continue;
 				}
 				if (rrsig_labels < cname_labels) {
 					query->flags |= QUERY_DNSSEC_WEXPAND;
-- 
2.47.2