From a9406f78284cc7e04adf659721f74378da45c8af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Wed, 11 Sep 2019 17:57:41 +0200
Subject: [PATCH] lib/resolve creation of first query: fix a rare possible bug

qname here wasn't lower-cased, so the match might not be correct.
Still, practically all deployments use either root TA or none,
and these can't be affected.
---
 lib/resolve.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/resolve.c b/lib/resolve.c
index 44fbef588..0cef2f97c 100644
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -776,7 +776,7 @@ static int resolve_query(struct kr_request *request, const knot_pkt_t *packet)
 		qry->flags.AWAIT_CUT = true;
 		/* Want DNSSEC if it's posible to secure this name (e.g. is covered by any TA) */
 		if ((knot_wire_get_ad(packet->wire) || knot_pkt_has_dnssec(packet)) &&
-		    kr_ta_covers_qry(request->ctx, qname, qtype)) {
+		    kr_ta_covers_qry(request->ctx, qry->sname, qtype)) {
 			qry->flags.DNSSEC_WANT = true;
 		}
 	}
-- 
GitLab