From: Marek Vavruša Date: Sat, 19 Sep 2015 19:27:45 +0000 (+0200) Subject: lib/resolve: AD flag is set only for secure answers X-Git-Tag: v1.0.0-beta1~53^2~58 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=de6f492ee14a650cf03e31107df1e7caef0c5051;p=thirdparty%2Fknot-resolver.git lib/resolve: AD flag is set only for secure answers if the final query isn’t satisfied with DNSSEC on, then the answer counts as insecure --- diff --git a/lib/resolve.c b/lib/resolve.c index c77b40cec..92311e15f 100644 --- a/lib/resolve.c +++ b/lib/resolve.c @@ -191,8 +191,12 @@ static int answer_finalize(struct kr_request *request, int state) } } /* Set AD=1 if succeeded and requested secured answer. */ - if (state == KNOT_STATE_DONE && (request->options & QUERY_DNSSEC_WANT)) { - knot_wire_set_ad(answer->wire); + struct kr_rplan *rplan = &request->rplan; + if (state == KNOT_STATE_DONE && !EMPTY_LIST(rplan->resolved)) { + struct kr_query *last = TAIL(rplan->resolved); + if (last->flags & QUERY_DNSSEC_WANT) { + knot_wire_set_ad(answer->wire); + } } return kr_ok(); }