Commit 897fafdb authored by Grigorii Demidov's avatar Grigorii Demidov

layer/validate: additional checks for authoritative answers

parent b25ba17b
......@@ -516,7 +516,17 @@ static int check_signer(kr_layer_t *ctx, knot_pkt_t *pkt)
}
VERBOSE_MSG(qry, ">< cut changed, needs revalidation\n");
if (!signer) {
/* Not a DNSSEC-signed response, ask parent for DS to prove transition to INSECURE. */
/* Not a DNSSEC-signed response, ask parent for DS
* to prove transition to INSECURE. */
const uint16_t qtype = knot_pkt_qtype(pkt);
const knot_dname_t *qname = knot_pkt_qname(pkt);
if (qtype == KNOT_RRTYPE_NS &&
knot_dname_is_sub(qname, qry->zone_cut.name)) {
/* Server is authoritative
* for both parent and child,
* and child zone is not signed. */
qry->zone_cut.name = knot_dname_copy(qname, &req->pool);
}
} else if (knot_dname_is_sub(signer, qry->zone_cut.name)) {
/* Key signer is below current cut, advance and refetch keys. */
qry->zone_cut.name = knot_dname_copy(signer, &req->pool);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment