From cef76ee5bd845a80e06da934edce4225bdba22a1 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 22 Aug 2014 15:45:40 +1000
Subject: [PATCH] 3921.   [bug]           AD was inappopriately set on RPZ
 responses. [RT #36833]

---
 CHANGES                       | 2 ++
 bin/named/query.c             | 5 +++--
 bin/tests/system/rpz/tests.sh | 5 +++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index e919c52efd..d5a8d1c825 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+3921.	[bug]		AD was inappopriately set on RPZ responses. [RT #36833]
+
 3920.	[doc]		Added doc for masterfile-style. [RT #36823]
 
 3919.	[bug]		dig: continue to next line if a address lookup fails
diff --git a/bin/named/query.c b/bin/named/query.c
index ec56030dcd..a79a930fd3 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -5450,7 +5450,7 @@ rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
 	 * response policy zone cannot verify.
 	 */
 	client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
-				DNS_MESSAGEFLAG_AD);
+				NS_CLIENTATTR_WANTAD);
 	return (ISC_R_SUCCESS);
 }
 
@@ -6679,7 +6679,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			 * response policy zone cannot verify.
 			 */
 			client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
-						DNS_MESSAGEFLAG_AD);
+						NS_CLIENTATTR_WANTAD);
+			client->message->flags &= ~DNS_MESSAGEFLAG_AD;
 			query_putrdataset(client, &sigrdataset);
 			rpz_st->q.is_zone = is_zone;
 			is_zone = ISC_TRUE;
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index aea61c90b8..4d4978a229 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -209,6 +209,11 @@ clean_result () {
 # $1=dig args $2=other dig output file
 ckresult () {
     #ckalive "$1" "I:server crashed by 'dig $1'" || return 1
+    if grep "flags:.* aa .*ad;" $DIGNM; then
+	setret "I:'dig $1' AA and AD set;"
+    elif grep "flags:.* aa .*ad;" $DIGNM; then
+	setret "I:'dig $1' AD set;"
+    fi
     if $PERL $SYSTEMTESTTOP/digcomp.pl $DIGNM $2 >/dev/null; then
 	NEED_TCP=`echo "$1" | sed -n -e 's/[Tt][Cc][Pp].*/TCP/p'`
 	RESULT_TCP=`sed -n -e 's/.*Truncated, retrying in TCP.*/TCP/p' $DIGNM`