Commit e80fb5e6 authored by Vladimír Čunát's avatar Vladimír Čunát

lib/resolve answer_finalize: don't SERVFAIL bogus +cd

As kresd works now, typically we do not know whether these records are
bogus, as with +cd we do not attempt validation.  Still, it's possible
that we have those records in cache from an occasion without +cd, in
which case we know they're bogus and this regression happened.

The potential impact of this issue seems minimal.
parent 26f93e64
...@@ -4,6 +4,8 @@ Knot Resolver 4.x.y (2019-08-dd) ...@@ -4,6 +4,8 @@ Knot Resolver 4.x.y (2019-08-dd)
Bugfixes Bugfixes
-------- --------
- rebinding module: fix handling some requests, respect ALLOW_LOCAL flag - rebinding module: fix handling some requests, respect ALLOW_LOCAL flag
- fix incorrect SERVFAIL on cached bogus answer for +cd request (!860)
(regression since 4.1.0 release, in less common cases)
Knot Resolver 4.2.0 (2019-08-05) Knot Resolver 4.2.0 (2019-08-05)
......
...@@ -619,8 +619,10 @@ static void answer_finalize(struct kr_request *request) ...@@ -619,8 +619,10 @@ static void answer_finalize(struct kr_request *request)
/* TODO: clean this up in !660 or followup, and it isn't foolproof anyway. */ /* TODO: clean this up in !660 or followup, and it isn't foolproof anyway. */
if (last->flags.DNSSEC_BOGUS if (last->flags.DNSSEC_BOGUS
|| (rplan->pending.len > 0 && array_tail(rplan->pending)->flags.DNSSEC_BOGUS)) { || (rplan->pending.len > 0 && array_tail(rplan->pending)->flags.DNSSEC_BOGUS)) {
answer_fail(request); if (!knot_wire_get_cd(request->qsource.packet->wire)) {
return; answer_fail(request);
return;
}
} }
/* AD flag. We can only change `secure` from true to false. /* AD flag. We can only change `secure` from true to false.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment