From 38608bd4508f58d3b5499f8db4e545ef30a89265 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Vavru=C5=A1a?= <marek.vavrusa@nic.cz>
Date: Fri, 23 May 2014 14:58:08 +0200
Subject: [PATCH] edns: resolved todo

---
 src/knot/nameserver/internet.c      | 10 ++++++----
 src/knot/nameserver/process_query.c |  8 ++------
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/src/knot/nameserver/internet.c b/src/knot/nameserver/internet.c
index fc6b77821..698919ff7 100644
--- a/src/knot/nameserver/internet.c
+++ b/src/knot/nameserver/internet.c
@@ -19,6 +19,7 @@
 #include "libknot/common.h"
 #include "libknot/rdata/rdname.h"
 #include "libknot/rdata/soa.h"
+#include "libknot/edns.h"
 #include "libknot/dnssec/rrset-sign.h"
 #include "knot/nameserver/internet.h"
 #include "knot/nameserver/nsec_proofs.h"
@@ -118,9 +119,10 @@ static bool dname_cname_cannot_synth(const knot_rrset_t *rrset, const knot_dname
 }
 
 /*! \brief DNSSEC both requested & available. */
-static bool have_dnssec(struct query_data *qdata)
+static bool have_dnssec(struct query_data *qdata, knot_pkt_t *response)
 {
 	return pkt_has_dnssec(qdata->query) &&
+	       knot_edns_do(response->opt_rr) &&
 	       zone_contents_is_signed(qdata->zone->contents);
 }
 
@@ -556,7 +558,7 @@ static int solve_answer(int state, knot_pkt_t *pkt, struct query_data *qdata, vo
 
 static int solve_answer_dnssec(int state, knot_pkt_t *pkt, struct query_data *qdata, void *ctx)
 {
-	if (!have_dnssec(qdata)) {
+	if (!have_dnssec(qdata, pkt)) {
 		return state; /* DNSSEC not supported. */
 	}
 
@@ -611,7 +613,7 @@ static int solve_authority(int state, knot_pkt_t *pkt, struct query_data *qdata,
 
 static int solve_authority_dnssec(int state, knot_pkt_t *pkt, struct query_data *qdata, void *ctx)
 {
-	if (!have_dnssec(qdata)) {
+	if (!have_dnssec(qdata, pkt)) {
 		return state; /* DNSSEC not supported. */
 	}
 
@@ -686,7 +688,7 @@ static int solve_additional(int state, knot_pkt_t *pkt,
 
 static int solve_additional_dnssec(int state, knot_pkt_t *pkt, struct query_data *qdata, void *ctx)
 {
-	if (!have_dnssec(qdata)) {
+	if (!have_dnssec(qdata, pkt)) {
 		return state; /* DNSSEC not supported. */
 	}
 
diff --git a/src/knot/nameserver/process_query.c b/src/knot/nameserver/process_query.c
index 515de1c33..cdaa92b74 100644
--- a/src/knot/nameserver/process_query.c
+++ b/src/knot/nameserver/process_query.c
@@ -561,13 +561,9 @@ static int prepare_answer(const knot_pkt_t *query, knot_pkt_t *resp, knot_proces
 
 	/* Check EDNS version and return BADVERS if not supported.
 	 * Also do not add NSID if the version is not supported.
-	 *
-	 * TODO: DNSSEC is now processed if the query has the DO bit set.
-	 * If it has unsupported version of EDNS, DNSSEC processing probably
-	 * shouldn't occur.
 	 */
-	bool ver_ok = knot_edns_get_version(query->opt_rr)
-	                != knot_edns_get_version(resp->opt_rr);
+	bool ver_ok = (knot_edns_get_version(query->opt_rr)
+	                != knot_edns_get_version(resp->opt_rr));
 	if (ver_ok) {
 		dbg_ns("%s: unsupported EDNS version required.\n", __func__);
 		knot_edns_set_ext_rcode(resp->opt_rr, KNOT_EDNS_RCODE_BADVERS);
-- 
GitLab