Commit 55d913ef authored by Marek Vavruša's avatar Marek Vavruša

lib/iterate: scrub DNSSEC records when DO=1

if the client doesn't support DNSSEC, scrub these from the answer
and do not set the AD bit
parent 345089dc
......@@ -164,7 +164,14 @@ static int update_parent(const knot_rrset_t *rr, struct kr_request *req)
static int update_answer(const knot_rrset_t *rr, unsigned hint, struct kr_request *req)
{
/* Scrub DNSSEC records when not requested. */
knot_pkt_t *answer = req->answer;
if (!knot_edns_do(answer->opt_rr)) {
if (rr->type != knot_pkt_qtype(answer) && knot_rrtype_is_dnssec(rr->type)) {
return KNOT_STATE_DONE; /* Scrub */
}
}
int ret = knot_pkt_put(answer, hint, rr, 0);
if (ret != KNOT_EOK) {
knot_wire_set_tc(answer->wire);
......
......@@ -173,7 +173,6 @@ static int commit_rr(const char *key, void *val, void *data)
}
/* Save RRSIG in a special cache. */
unsigned drift = baton->timestamp;
if (KEY_COVERING_RRSIG(key)) {
return commit_rrsig(baton, rr);
}
......
......@@ -197,7 +197,7 @@ static int answer_finalize(struct kr_request *request, int state)
struct kr_rplan *rplan = &request->rplan;
if (state == KNOT_STATE_DONE && !EMPTY_LIST(rplan->resolved)) {
struct kr_query *last = TAIL(rplan->resolved);
if (last->flags & QUERY_DNSSEC_WANT) {
if ((last->flags & QUERY_DNSSEC_WANT) && knot_edns_do(answer->opt_rr)) {
knot_wire_set_ad(answer->wire);
}
}
......
......@@ -108,13 +108,34 @@ RANGE_END
STEP 1 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
cz. IN NS
ENTRY_END
; check that it answers a plain query
STEP 2 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
cz. IN NS
SECTION ANSWER
cz. 18000 IN NS a.ns.nic.cz.
cz. 18000 IN NS b.ns.nic.cz.
cz. 18000 IN NS c.ns.nic.cz.
cz. 18000 IN NS d.ns.nic.cz.
ENTRY_END
STEP 3 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
cz. IN NS
ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
STEP 4 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA AD NOERROR
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment