Knot Resolver on Turris Omnia sets AD flag on insecure domains

As reported by sbortzmeyer:

The Knot resolver on my Turris Omnia always set the AD flag, even for unsigned domains:

% dig @192.168.2.254 twitter.com        

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @192.168.2.254 twitter.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65123
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;twitter.com.                IN A

;; ANSWER SECTION:
twitter.com.                1426 IN        A 104.244.42.65
twitter.com.                1426 IN        A 104.244.42.1

;; Query time: 12 msec
;; SERVER: 192.168.2.254#53(192.168.2.254)
;; WHEN: Wed Oct 19 15:41:01 CEST 2016
;; MSG SIZE  rcvd: 72

That's strange; I can't reproduce that locally (on PC). I tried also on v1.1.1 tag, as that's supposedly running on omnia.

Unfortunately, I cannot test it myself, I can compile the Knot resolver in git but I cannot run it:

% /tmp/kresd/sbin/kresd                                
[system] error /tmp/kresd/lib/kdns_modules/kres.lua:24: support libknot not found
[system] worker failed: No such file or directory

(It's not just when I compile myself, see also Debian bug #841496)

But it is posisble it is a Omnia-specific issue and, then, it should be tested first against an Omnia.

This has been resolved in master, kres.lua should now pickup the SONAME of libknot that kresd is compiled with.

Mentioned in commit 3846cc78

changed milestone to %1.2.0 release

I see now, this only happens in forwarding mode (which is the default on Omnia).

mentioned in commit 5c720573

mentioned in merge request !149 (merged)

closed via commit 5c720573

closed via commit 9f04390d

closed via merge request !149 (merged)

@bortzmeyer: thanks for raising the issue. It took me long to connect this with forwarding.

/cc @jpavlinec to be sure (though rather late).

mentioned in commit 9f04390d