From a5e6600f3120d54cbc6812196ef4eee2e7e900a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Vavru=C5=A1a?= <marek.vavrusa@nic.cz>
Date: Tue, 22 Sep 2015 17:29:25 +0200
Subject: [PATCH] lib/iterate: treat SOA change with signed queries as referral

with DNSSEC, such query needs to be revalidated as the TA/key is missing
for the new zone cut, which would lead to duplicated answers

in the future there may be an api to defer query processing, but for now
it can't be done
---
 lib/layer/iterate.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index 876d8abef..5ab6887c3 100644
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -274,6 +274,9 @@ static int process_authority(knot_pkt_t *pkt, struct kr_request *req)
 			/* SOA below cut in authority indicates different authority, but same NS set. */
 			if (knot_dname_is_sub(rr->owner, qry->zone_cut.name)) {
 				qry->zone_cut.name = knot_dname_copy(rr->owner, &req->pool);
+				if (knot_pkt_has_dnssec(pkt)) { /* Treat as a referral */
+					return KNOT_STATE_DONE;
+				}
 			}
 		}
 	}
-- 
GitLab