Merge branch 'master' into deckard

lib/layer/iterate.c

@@ -313,12 +313,18 @@ static void finalize_answer(knot_pkt_t *pkt, struct kr_query *qry, struct kr_req
 	knot_wire_set_rcode(answer->wire, knot_wire_get_rcode(pkt->wire));
 
 	/* Fill in bailiwick records in authority */
+	const bool scrub_dnssec = !knot_pkt_has_dnssec(answer);
+	const uint16_t qtype = knot_pkt_qtype(answer);
 	struct kr_zonecut *cut = &qry->zone_cut;
 	int pkt_class = kr_response_classify(pkt);
 	if (pkt_class & (PKT_NXDOMAIN|PKT_NODATA)) {
 		const knot_pktsection_t *ns = knot_pkt_section(pkt, KNOT_AUTHORITY);
 		for (unsigned i = 0; i < ns->count; ++i) {
 			const knot_rrset_t *rr = knot_pkt_rr(ns, i);
+			/* Scrub DNSSEC records when not requested. */
+			if (scrub_dnssec && rr->type != qtype && knot_rrtype_is_dnssec(rr->type)) {
+				continue;
+			}
 			/* Stash the authority records, they will be written to wire on answer finalization. */
 			if (knot_dname_in(cut->name, rr->owner)) {
 				kr_rrarray_add(&req->authority, rr, &answer->mm);

lib/layer/validate.c

@@ -216,9 +216,14 @@ static int update_parent(struct kr_query *qry, uint16_t answer_type)
 		break;
 	case KNOT_RRTYPE_DS:
 		DEBUG_MSG(qry, "<= parent: updating DS\n");
-		parent->zone_cut.trust_anchor = knot_rrset_copy(qry->zone_cut.trust_anchor, parent->zone_cut.pool);
-		if (!parent->zone_cut.trust_anchor) {
-			return KNOT_STATE_FAIL;
+		if (qry->flags & QUERY_DNSSEC_INSECURE) { /* DS non-existence proven. */
+			parent->flags &= ~QUERY_DNSSEC_WANT;
+			parent->flags |= QUERY_DNSSEC_INSECURE;
+		} else { /* DS existence proven. */
+			parent->zone_cut.trust_anchor = knot_rrset_copy(qry->zone_cut.trust_anchor, parent->zone_cut.pool);
+			if (!parent->zone_cut.trust_anchor) {
+				return KNOT_STATE_FAIL;
+			}
 		}
 		break;
 	default: break;
@@ -246,14 +251,13 @@ static int update_delegation(struct kr_request *req, struct kr_query *qry, knot_
 
 	/* No DS provided, check for proof of non-existence. */
 	int ret = 0;
+	const knot_dname_t *proved_name = qry->zone_cut.name;
 	knot_rrset_t *new_ds = update_ds(cut, knot_pkt_section(answer, section));
 	if (!new_ds) {
-		if (has_nsec3) {
-			ret = kr_nsec3_no_data_response_check(answer, section,
-			      qry->zone_cut.name, KNOT_RRTYPE_DS);
+		if (!has_nsec3) {
+			ret = kr_nsec_existence_denial(answer, KNOT_AUTHORITY, proved_name, KNOT_RRTYPE_DS);
 		} else {
-			ret = kr_nsec_no_data_response_check(answer, section,
-			      qry->zone_cut.name, KNOT_RRTYPE_DS);
+			ret = kr_nsec3_no_data(answer, KNOT_AUTHORITY, proved_name, KNOT_RRTYPE_DS);
 		}
 		if (ret != 0) {
 			DEBUG_MSG(qry, "<= bogus proof of DS non-existence\n");
@@ -315,17 +319,19 @@ static int validate(knot_layer_t *ctx, knot_pkt_t *pkt)
 
 	/* Track difference between current TA and signer name.
 	 * This indicates that the NS is auth for both parent-child, and we must update DS/DNSKEY to validate it.
-	 * @todo: This has to be checked here before we put the data into packet, there is no "DEFER" or "PAUSE" action yet.
 	 */
 	const bool track_pc_change = (!(qry->flags & QUERY_CACHED) && (qry->flags & QUERY_DNSSEC_WANT));
 	const knot_dname_t *ta_name = qry->zone_cut.trust_anchor ? qry->zone_cut.trust_anchor->owner : NULL;
 	const knot_dname_t *signer = signature_authority(pkt);
-	if (track_pc_change && ta_name && signer && !knot_dname_is_equal(ta_name, signer)) {
+	if (track_pc_change && ta_name && (!signer || !knot_dname_is_equal(ta_name, signer))) {
 		if (ctx->state == KNOT_STATE_YIELD) { /* Already yielded for revalidation. */
 			return KNOT_STATE_FAIL;
 		}
 		DEBUG_MSG(qry, ">< cut changed, needs revalidation\n");
-		if (knot_dname_is_sub(signer, qry->zone_cut.name)) {
+		if (!signer) {
+			/* Not a DNSSEC-signed response, ask parent for DS to prove transition to INSECURE. */
+		} else if (knot_dname_is_sub(signer, qry->zone_cut.name)) {
+			/* Key signer is below current cut, advance and refetch keys. */
 			qry->zone_cut.name = knot_dname_copy(signer, &req->pool);
 		} else if (!knot_dname_is_equal(signer, qry->zone_cut.name)) {
 			/* Key signer is above the current cut, so we can't validate it. This happens when