From 53c6c82a1b36c1f3cd437dbf80f87018a1175943 Mon Sep 17 00:00:00 2001
From: Marek Vavrusa <marek@vavrusa.com>
Date: Thu, 10 Mar 2016 17:28:22 +0000
Subject: [PATCH] lib/resolve: set AD=1 when client asks with it and secure

---
 lib/layer/rrcache.c | 3 ++-
 lib/resolve.c       | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/layer/rrcache.c b/lib/layer/rrcache.c
index 8c33b4f84..7226bfc51 100644
--- a/lib/layer/rrcache.c
+++ b/lib/layer/rrcache.c
@@ -91,8 +91,9 @@ static int loot_rrcache(struct kr_cache *cache, knot_pkt_t *pkt, struct kr_query
 		rrtype = KNOT_RRTYPE_CNAME;
 		ret = loot_rr(&txn, pkt, qry->sname, qry->sclass, rrtype, qry, &rank, 0);
 	}
-	/* Record isn't flagged as INSECURE => doesn't have RRSIG. */
+	/* Record is flagged as INSECURE => doesn't have RRSIG. */
 	if (ret == 0 && (rank & KR_RANK_INSECURE)) {
+		qry->flags |= QUERY_DNSSEC_INSECURE;
 		qry->flags &= ~QUERY_DNSSEC_WANT;
 	/* Record may have RRSIG, try to find it. */
 	} else if (ret == 0 && dobit) {
diff --git a/lib/resolve.c b/lib/resolve.c
index 9d33847cc..6e27de293 100644
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -325,8 +325,8 @@ static int answer_finalize(struct kr_request *request, int state)
 	if (state == KNOT_STATE_DONE && rplan->resolved.len > 0) {
 		struct kr_query *last = array_tail(rplan->resolved);
 		/* Do not set AD for RRSIG query, as we can't validate it. */
-		if ((last->flags & QUERY_DNSSEC_WANT) && knot_pkt_has_dnssec(answer) &&
-			knot_pkt_qtype(answer) != KNOT_RRTYPE_RRSIG) {
+		const bool dnssec_ok = (last->flags & QUERY_DNSSEC_WANT) && !(last->flags & QUERY_DNSSEC_INSECURE);
+		if (dnssec_ok && knot_pkt_qtype(answer) != KNOT_RRTYPE_RRSIG) {
 			knot_wire_set_ad(answer->wire);
 		}
 	}
@@ -393,7 +393,7 @@ static int resolve_query(struct kr_request *request, const knot_pkt_t *packet)
 	/* Want DNSSEC if it's posible to secure this name (e.g. is covered by any TA) */
 	map_t *negative_anchors = &request->ctx->negative_anchors;
 	map_t *trust_anchors = &request->ctx->trust_anchors;
-	if (knot_pkt_has_dnssec(packet) &&
+	if ((knot_wire_get_ad(packet->wire) || knot_pkt_has_dnssec(packet)) &&
 	    kr_ta_covers(trust_anchors, qname) && !kr_ta_covers(negative_anchors, qname)) {
 		qry->flags |= QUERY_DNSSEC_WANT;
 	}
-- 
GitLab