layer/validate: additional checks for authoritative answers

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 2550c90694bf23a84e83954f633dff50064328cd..cfe352b3e6fa2d2a9a1b266e5ee1056a1fa9a6f3 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -516,7 +516,17 @@ static int check_signer(kr_layer_t *ctx, knot_pkt_t *pkt)
                }
                VERBOSE_MSG(qry, ">< cut changed, needs revalidation\n");
                if (!signer) {
-                       /* Not a DNSSEC-signed response, ask parent for DS to prove transition to INSECURE. */
+                       /* Not a DNSSEC-signed response, ask parent for DS
+                        * to prove transition to INSECURE. */
+                       const uint16_t qtype = knot_pkt_qtype(pkt);
+                       const knot_dname_t *qname = knot_pkt_qname(pkt);
+                       if (qtype == KNOT_RRTYPE_NS &&
+                           knot_dname_is_sub(qname, qry->zone_cut.name)) {
+                               /* Server is authoritative
+                                * for both parent and child,
+                                * and child zone is not signed. */
+                               qry->zone_cut.name = knot_dname_copy(qname, &req->pool);
+                       }
                } else if (knot_dname_is_sub(signer, qry->zone_cut.name)) {
                        /* Key signer is below current cut, advance and refetch keys. */
                        qry->zone_cut.name = knot_dname_copy(signer, &req->pool);