pullup:

 651.   [func]          The AD bit in responses now has the meaning
                        specified in <draft-ietf-dnsext-ad-is-secure>.

diff --git a/bin/named/query.c b/bin/named/query.c
index 910fb90e12362764535489faf8f322b95787f53e..ec864290dbde40555b9e8c932b17901083450104 100644 (file)
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.163 2000/12/27 23:01:25 marka Exp $ */
+/* $Id: query.c,v 1.163.2.1 2001/01/05 23:50:13 gson Exp $ */
 
 #include <config.h>
 
@@ -3415,11 +3415,8 @@ ns_query_start(ns_client_t *client) {
        message->flags |= DNS_MESSAGEFLAG_AA;
 
        /*
-        * Set AD.  We need only clear it if we add "pending" data to
-        * a response.
-        *
-        * XXX  Note: the way AD is set will be changing in the near
-        *      future.
+        * Set AD.  We must clear it if we add non-validated data to a
+        * response.
         */
        if (WANTDNSSEC(client))
                message->flags |= DNS_MESSAGEFLAG_AD;

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 07028c45aff035cf14b15e408757723cfeb669df..8415e5077cb2e1f3f1a15ff75b9cf9f0da1be962 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.27 2000/11/22 01:26:24 gson Exp $
+# $Id: tests.sh,v 1.27.4.1 2001/01/05 23:50:14 gson Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -65,7 +65,9 @@ ret=0
 $DIG $DIGOPTS a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
@@ -112,7 +114,9 @@ $DIG $DIGOPTS a.insecure.secure.example. @10.53.0.2 a \
 $DIG $DIGOPTS a.insecure.secure.example. @10.53.0.4 a \
        > dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
@@ -126,7 +130,9 @@ $DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \
 $DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \
        || ret=1
 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
@@ -191,8 +197,9 @@ $DIG $DIGOPTS +noauth a.insecure.example. soa @10.53.0.4 \
 $DIG $DIGOPTS +noauth +cdflag a.insecure.example. soa @10.53.0.5 \
        > dig.out.ns5.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
-# Note - this is looking for failure, hence the &&
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - these are looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -205,8 +212,9 @@ $DIG $DIGOPTS q.insecure.example. soa @10.53.0.4 \
 $DIG $DIGOPTS +cdflag q.insecure.example. soa @10.53.0.5 \
        > dig.out.ns5.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
-# Note - this is looking for failure, hence the &&
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - these are looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi

diff --git a/lib/dns/message.c b/lib/dns/message.c
index 1544789a8295422f557ad679c027881e207d521b..ae2214597d19c9f9be9cf493f12f3f9226499cee 100644 (file)
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.164 2000/12/11 19:24:13 bwelling Exp $ */
+/* $Id: message.c,v 1.164.2.1 2001/01/05 23:50:16 gson Exp $ */
 
 /***
  *** Imports
@@ -1774,10 +1774,10 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
                                }
 
                                /*
-                                * If we have rendered pending data, ensure
-                                * that the AD bit is not set.
+                                * If we have rendered non-validated data,
+                                * ensure that the AD bit is not set.
                                 */
-                               if (rdataset->trust == dns_trust_pending &&
+                               if (rdataset->trust != dns_trust_secure &&
                                    (sectionid == DNS_SECTION_ANSWER ||
                                     sectionid == DNS_SECTION_AUTHORITY))
                                        msg->flags &= ~DNS_MESSAGEFLAG_AD;