Append RRSIGs for secured domains in CNAME chains
When there's a mix of insecured and secured RRSets in a CNAME chain, resolver doesn't append RRSIGs to the signed RRSets (even when resolver has the information).
It's the dreaded www.nic.mx.
case again.
-
IN CNAME www.nic.mx.
(insecure)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 64595
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION:
;; www.nic.mx. IN CNAME
;; ANSWER SECTION:
www.nic.mx. 108 IN CNAME www.nicmexico.mx.
;; Received 67 B
;; Time 2017-01-24 10:07:51 CET
;; From ::1@35223(UDP) in 0.6 ms
-
IN A www.nicmexico.mx.
(secure)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7600
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 5; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION:
;; www.nicmexico.mx. IN A
;; ANSWER SECTION:
www.nicmexico.mx. 172605 IN A 200.94.180.54
www.nicmexico.mx. 172605 IN A 200.94.180.55
www.nicmexico.mx. 172605 IN A 200.94.180.56
www.nicmexico.mx. 172605 IN A 200.94.180.57
www.nicmexico.mx. 172605 IN RRSIG A 7 3 172800 20170221235959 (
20161221161902 14618 nicmexico.mx.
s3THv+Ay2WrcOTG6bo+54Zc/rff/jhzcJKZ3ZRYM
Xhw3FToSvTOSqsIG1gzW/Sk6r2oikHH3nNluaMTA
XfCULu2mHiQVAuFlnajFSMPcm8KvEyV0cCT7knkA
Fqb+ODkimPMufRHiOLbnhQk9/A25qK7J8rCB76IU
mzk41hYRNBU=
)
;; Received 281 B
;; Time 2017-01-24 10:08:11 CET
;; From ::1@35223(UDP) in 0.2 ms
-
IN A www.nic.mx.
(insecure + secure)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 47737
;; Flags: qr rd ra; QUERY: 1; ANSWER: 5; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION:
;; www.nic.mx. IN A
;; ANSWER SECTION:
www.nic.mx. 65 IN CNAME www.nicmexico.mx.
www.nicmexico.mx. 172582 IN A 200.94.180.54
www.nicmexico.mx. 172582 IN A 200.94.180.55
www.nicmexico.mx. 172582 IN A 200.94.180.56
www.nicmexico.mx. 172582 IN A 200.94.180.57
;; Received 145 B
;; Time 2017-01-24 10:08:34 CET
;; From ::1@35223(UDP) in 0.2 ms
In case 3) the RRSIG for www.nicmexico.mx.
should have been appended.
This is also a minor nit, and let's leave it post-1.2.0.