Commit a5e6600f authored by Marek Vavruša's avatar Marek Vavruša

lib/iterate: treat SOA change with signed queries as referral

with DNSSEC, such query needs to be revalidated as the TA/key is missing
for the new zone cut, which would lead to duplicated answers

in the future there may be an api to defer query processing, but for now
it can't be done
parent bdc0c78d
......@@ -274,6 +274,9 @@ static int process_authority(knot_pkt_t *pkt, struct kr_request *req)
/* SOA below cut in authority indicates different authority, but same NS set. */
if (knot_dname_is_sub(rr->owner, qry->zone_cut.name)) {
qry->zone_cut.name = knot_dname_copy(rr->owner, &req->pool);
if (knot_pkt_has_dnssec(pkt)) { /* Treat as a referral */
return KNOT_STATE_DONE;
}
}
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment