validate: don't turn all NS records insecure on non-existent DS (!576) · Merge requests · Knot projects / Knot Resolver

Marek Vavrusa requested to merge marek/fix-ns-rank-downgrade into master May 01, 2018

Currently this lists all NS records in the auth_selected from the same query UID and marks them as insecure.

It should only mark NS records matching the DS record as insecure, as parent NS records may be in the same response and the absence of DS doesn't say anything about them.

This happens rarely on some zones, and I'm not sure about the reproducer. I suspect it's something like:

Query for child.test DS
Response for child.test DS says that child.test DS doesn't exist in the test authority (so test NS gets added to the auth_selected)
test NS rank in auth_selected gets downgraded because of that

@gdemidov

Edited May 16, 2018 by Vladimír Čunát

Admin message

validate: don't turn all NS records insecure on non-existent DS

Merge request reports