Commit d183e016 authored by Marek Vavruša's avatar Marek Vavruša

lib/validate: prevent caching of answers needing revalidation

parent 6d3b6ff5
......@@ -274,7 +274,7 @@ static int process_authority(knot_pkt_t *pkt, struct kr_request *req)
/* SOA below cut in authority indicates different authority, but same NS set. */
if (knot_dname_is_sub(rr->owner, qry->zone_cut.name)) {
qry->zone_cut.name = knot_dname_copy(rr->owner, &req->pool);
if (knot_pkt_has_dnssec(pkt)) { /* Treat as a referral */
if (qry->flags & QUERY_DNSSEC_WANT) { /* Treat as a referral */
return KNOT_STATE_DONE;
}
}
......
......@@ -100,8 +100,8 @@ static int peek(knot_layer_t *ctx, knot_pkt_t *pkt)
if (!qry || ctx->state & (KNOT_STATE_DONE|KNOT_STATE_FAIL)) {
return ctx->state; /* Already resolved/failed */
}
if (!(qry->flags & QUERY_AWAIT_CUT)) {
return ctx->state; /* Only lookup on first iteration */
if (qry->ns.addr.ip.sa_family != AF_UNSPEC) {
return ctx->state; /* Only lookup before asking a query */
}
if (knot_pkt_qclass(pkt) != KNOT_CLASS_IN) {
return ctx->state; /* Only IN class */
......
......@@ -395,6 +395,7 @@ static int validate(knot_layer_t *ctx, knot_pkt_t *pkt)
const knot_dname_t *sig_name = first_rrsig_signer_name(pkt);
if (key_own && sig_name && !knot_dname_is_equal(key_own, sig_name)) {
DEBUG_MSG(qry, ">< cut changed, needs revalidation\n");
knot_wire_set_rcode(pkt->wire, KNOT_RCODE_SERVFAIL); /* Prevent caching */
qry->flags &= ~QUERY_RESOLVED;
return KNOT_STATE_CONSUME;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment