Commit c5752bdb authored by Vladimír Čunát's avatar Vladimír Čunát

zonecut.c: restrict ranks when fetching TA+key for cut

This is mainly to avoid bad entries, e.g. cached for +cd.
parent 5d422b14
......@@ -384,7 +384,7 @@ static int fetch_ns(struct kr_context *ctx, struct kr_zonecut *cut,
}
/**
* Fetch RRSet of given type.
* Fetch RRSet of given type. (and of reasonable trustworthiness)
*/
static int fetch_rrset(knot_rrset_t **rr, struct kr_cache *cache,
const knot_dname_t *owner, uint16_t type, knot_mm_t *pool, uint32_t timestamp)
......@@ -401,6 +401,11 @@ static int fetch_rrset(knot_rrset_t **rr, struct kr_cache *cache,
if (ret != 0) {
return ret;
}
const bool rankOK = (rank & KR_RANK_SECURE)
|| ((rank & KR_RANK_INSECURE) && (rank & KR_RANK_AUTH));
if (!rankOK) {
return kr_error(ENOENT);
}
knot_rrset_free(rr, pool);
*rr = mm_alloc(pool, sizeof(knot_rrset_t));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment