Commit e80fb5e6 authored by Vladimír Čunát's avatar Vladimír Čunát

lib/resolve answer_finalize: don't SERVFAIL bogus +cd

As kresd works now, typically we do not know whether these records are
bogus, as with +cd we do not attempt validation.  Still, it's possible
that we have those records in cache from an occasion without +cd, in
which case we know they're bogus and this regression happened.

The potential impact of this issue seems minimal.
parent 26f93e64
......@@ -4,6 +4,8 @@ Knot Resolver 4.x.y (2019-08-dd)
Bugfixes
--------
- rebinding module: fix handling some requests, respect ALLOW_LOCAL flag
- fix incorrect SERVFAIL on cached bogus answer for +cd request (!860)
(regression since 4.1.0 release, in less common cases)
Knot Resolver 4.2.0 (2019-08-05)
......
......@@ -619,9 +619,11 @@ static void answer_finalize(struct kr_request *request)
/* TODO: clean this up in !660 or followup, and it isn't foolproof anyway. */
if (last->flags.DNSSEC_BOGUS
|| (rplan->pending.len > 0 && array_tail(rplan->pending)->flags.DNSSEC_BOGUS)) {
if (!knot_wire_get_cd(request->qsource.packet->wire)) {
answer_fail(request);
return;
}
}
/* AD flag. We can only change `secure` from true to false.
* Be conservative. Primary approach: check ranks of all RRs in wire.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment