From e80fb5e6834241d292706480acb25b28fe04aca2 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Wed, 14 Aug 2019 10:48:46 +0200 Subject: [PATCH] lib/resolve answer_finalize: don't SERVFAIL bogus +cd As kresd works now, typically we do not know whether these records are bogus, as with +cd we do not attempt validation. Still, it's possible that we have those records in cache from an occasion without +cd, in which case we know they're bogus and this regression happened. The potential impact of this issue seems minimal. --- NEWS | 2 ++ lib/resolve.c | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 0575bad69..b1c2ab83e 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,8 @@ Knot Resolver 4.x.y (2019-08-dd) Bugfixes -------- - rebinding module: fix handling some requests, respect ALLOW_LOCAL flag +- fix incorrect SERVFAIL on cached bogus answer for +cd request (!860) + (regression since 4.1.0 release, in less common cases) Knot Resolver 4.2.0 (2019-08-05) diff --git a/lib/resolve.c b/lib/resolve.c index 6b411f770..6ef20979a 100644 --- a/lib/resolve.c +++ b/lib/resolve.c @@ -619,8 +619,10 @@ static void answer_finalize(struct kr_request *request) /* TODO: clean this up in !660 or followup, and it isn't foolproof anyway. */ if (last->flags.DNSSEC_BOGUS || (rplan->pending.len > 0 && array_tail(rplan->pending)->flags.DNSSEC_BOGUS)) { - answer_fail(request); - return; + if (!knot_wire_get_cd(request->qsource.packet->wire)) { + answer_fail(request); + return; + } } /* AD flag. We can only change `secure` from true to false. -- 2.47.2