From: Marek VavruĊĦa Date: Thu, 19 Nov 2015 12:45:50 +0000 (+0100) Subject: lib/iterate: scrub dnssec data from authority when not requested X-Git-Tag: v1.0.0-beta2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cc3a0bf07cd3510df677255121d6239a3513873b;p=thirdparty%2Fknot-resolver.git lib/iterate: scrub dnssec data from authority when not requested refs #33 --- diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c index 6bf08b1e7..27202af20 100644 --- a/lib/layer/iterate.c +++ b/lib/layer/iterate.c @@ -313,12 +313,18 @@ static void finalize_answer(knot_pkt_t *pkt, struct kr_query *qry, struct kr_req knot_wire_set_rcode(answer->wire, knot_wire_get_rcode(pkt->wire)); /* Fill in bailiwick records in authority */ + const bool scrub_dnssec = !knot_pkt_has_dnssec(answer); + const uint16_t qtype = knot_pkt_qtype(answer); struct kr_zonecut *cut = &qry->zone_cut; int pkt_class = kr_response_classify(pkt); if (pkt_class & (PKT_NXDOMAIN|PKT_NODATA)) { const knot_pktsection_t *ns = knot_pkt_section(pkt, KNOT_AUTHORITY); for (unsigned i = 0; i < ns->count; ++i) { const knot_rrset_t *rr = knot_pkt_rr(ns, i); + /* Scrub DNSSEC records when not requested. */ + if (scrub_dnssec && rr->type != qtype && knot_rrtype_is_dnssec(rr->type)) { + continue; + } /* Stash the authority records, they will be written to wire on answer finalization. */ if (knot_dname_in(cut->name, rr->owner)) { kr_rrarray_add(&req->authority, rr, &answer->mm);