iterate: update zone cut when NS is authoritative for both parent and child
In some cases the NS is authoritative for both parent and the child side of the delegation (e.g. nrl.navy.mil). When it gets the query for such NS, it can respond from the child side with an NS record in the answer and AA=1. The resolver should update the zone cut accordingly, otherwise it would fail validation in cases when the child-side of the delegation is insecure, but parent side of the delegation is secure, because the child side would respond without DNSSEC records, and it wouldn't indicate that the zone cut needs updating (when using minimal answers) (e.g. www.nrl.navy.mil).
The example that reproduces it is
www.nrl.navy.mil, the problem is when the resolver reaches the
[resl] => querying: '22.214.171.124' score: 72 zone cut: 'navy.mil.' qname: 'NrL.NAvY.mIl.' qtype: 'NS' proto: 'udp' [iter] <= rcode: NOERROR [iter] <= found cut, retrying with non-minimized name
It's in fact the same nameserver as for
navy.mil and returns this:
$ kdig @126.96.36.199 NS nrl.navy.mil ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 53423 ;; Flags: qr aa rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0 ;; QUESTION SECTION: ;; nrl.navy.mil. IN NS ;; ANSWER SECTION: nrl.navy.mil. 1677 IN NS ns1.nrl.navy.mil. nrl.navy.mil. 1677 IN NS ns2.nrl.navy.mil.
The resolver will treat this as an authoritative answer (as it should) and retries without minimisation.
It however doesn't update its zone cut to
nrl.navy.mil (which is signed), so it expects a signed answer in the next query, but gets:
$ kdig @188.8.131.52 A www.nrl.navy.mil ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 62333 ;; Flags: qr aa rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0 ;; QUESTION SECTION: ;; www.nrl.navy.mil. IN A ;; ANSWER SECTION: www.nrl.navy.mil. 1949 IN A 184.108.40.206
It retries for RRSIG, but doesn't get anything and ends with a bogus NODATA proof, which would be correct if the delegation was
navy.mil, but the server is answering from the