From: Marek VavruĊĦa Date: Sat, 3 Oct 2015 20:08:10 +0000 (+0200) Subject: lib/resolve: disable DNSSEC when not under a TA X-Git-Tag: v1.0.0-beta1~24 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c6509ea928107d02576b972cc190ef3ee4e05208;p=thirdparty%2Fknot-resolver.git lib/resolve: disable DNSSEC when not under a TA --- diff --git a/lib/resolve.c b/lib/resolve.c index bb43f4c05..96ec791d1 100644 --- a/lib/resolve.c +++ b/lib/resolve.c @@ -390,6 +390,8 @@ static int zone_cut_check(struct kr_request *request, struct kr_query *qry, knot if (!kr_ta_covers(negative_anchors, qry->zone_cut.name) && kr_ta_covers(trust_anchors, qry->zone_cut.name)) { qry->flags |= QUERY_DNSSEC_WANT; + } else { + qry->flags &= ~QUERY_DNSSEC_WANT; } int ret = ns_fetch_cut(qry, request, (qry->flags & QUERY_DNSSEC_WANT)); if (ret != 0) {