3921. [bug] AD was inappopriately set on RPZ responses. [RT #36833]

2025-08-30 05:57:52 +00:00 · 2014-08-22 15:45:40 +10:00 · 2014-08-22 15:45:40 +10:00 · cef76ee5bd
commit cef76ee5bd
parent 3d66a979b5
3 changed files with 10 additions and 2 deletions
--- a/2
+++ b/2
@ -1,3 +1,5 @@
+3921.	[bug]		AD was inappopriately set on RPZ responses. [RT #36833]
+
 3920.	[doc]		Added doc for masterfile-style. [RT #36823]

 3919.	[bug]		dig: continue to next line if a address lookup fails
--- a/bin/named/query.c
+++ b/bin/named/query.c
@ -5450,7 +5450,7 @@ rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
 	 * response policy zone cannot verify.
 	 */
 	client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
-				DNS_MESSAGEFLAG_AD);
+				NS_CLIENTATTR_WANTAD);
 	return (ISC_R_SUCCESS);
 }

@ -6679,7 +6679,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			 * response policy zone cannot verify.
 			 */
 			client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
-						DNS_MESSAGEFLAG_AD);
+						NS_CLIENTATTR_WANTAD);
+			client->message->flags &= ~DNS_MESSAGEFLAG_AD;
 			query_putrdataset(client, &sigrdataset);
 			rpz_st->q.is_zone = is_zone;
 			is_zone = ISC_TRUE;
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@ -209,6 +209,11 @@ clean_result () {
 # $1=dig args $2=other dig output file
 ckresult () {
    #ckalive "$1" "I:server crashed by 'dig $1'" || return 1
+    if grep "flags:.* aa .*ad;" $DIGNM; then
+	setret "I:'dig $1' AA and AD set;"
+    elif grep "flags:.* aa .*ad;" $DIGNM; then
+	setret "I:'dig $1' AD set;"
+    fi
    if $PERL $SYSTEMTESTTOP/digcomp.pl $DIGNM $2 >/dev/null; then
 	NEED_TCP=`echo "$1" | sed -n -e 's/[Tt][Cc][Pp].*/TCP/p'`
 	RESULT_TCP=`sed -n -e 's/.*Truncated, retrying in TCP.*/TCP/p' $DIGNM`