plugin/cache: Unset AD flag when DO is not set for cache miss (#4736)

* unset AD bit when client DO is 0 Signed-off-by: Chris O'Haver <cohaver@infoblox.com> * add flag check to existing tests Signed-off-by: Chris O'Haver <cohaver@infoblox.com>
2021-07-09 04:53:50 -04:00 · 2021-07-09 04:53:50 -04:00 · 002b748ccd
commit 002b748ccd
parent bfb6972d30
3 changed files with 19 additions and 9 deletions
--- a/plugin/cache/cache.go
+++ b/plugin/cache/cache.go
@ -181,6 +181,10 @@ func (w *ResponseWriter) WriteMsg(res *dns.Msg) error {
 	res.Ns = filterRRSlice(res.Ns, ttl, w.do, false)
 	res.Extra = filterRRSlice(res.Extra, ttl, w.do, false)
 	if !w.do {
 		res.AuthenticatedData = false // unset AD bit if client is not OK with DNSSEC
 	}
 	return w.ResponseWriter.WriteMsg(res)
 }
--- a/plugin/cache/dnssec_test.go
+++ b/plugin/cache/dnssec_test.go
@ -23,7 +23,8 @@ func TestResponseWithDNSSEC(t *testing.T) {
 		},
 		{
 			Qname: "invent.example.org.", Qtype: dns.TypeA,
-			Do: true,
+			Do:                true,
 			AuthenticatedData: true,
 			Answer: []dns.RR{
 				test.CNAME("invent.example.org.		1781	IN	CNAME	leptone.example.org."),
 				test.RRSIG("invent.example.org.		1781	IN	RRSIG	CNAME 8 3 1800 20201012085750 20200912082613 57411 example.org. ijSv5FmsNjFviBcOFwQgqjt073lttxTTNqkno6oMa3DD3kC+"),
@ -40,6 +41,9 @@ func TestResponseWithDNSSEC(t *testing.T) {
 		m := tc.Msg()
 		rec := dnstest.NewRecorder(&test.ResponseWriter{})
 		c.ServeDNS(context.TODO(), rec, m)
 		if tc.AuthenticatedData != rec.Msg.AuthenticatedData {
 			t.Errorf("Test %d, expected AuthenticatedData=%v", i, tc.AuthenticatedData)
 		}
 		if err := test.Section(tc, test.Answer, rec.Msg.Answer); err != nil {
 			t.Errorf("Test %d, expected no error, got %s", i, err)
 		}
@ -64,6 +68,7 @@ func dnssecHandler() plugin.Handler {
 		m := new(dns.Msg)
 		m.SetQuestion("example.org.", dns.TypeA)
 		m.AuthenticatedData = true
 		m.Answer = make([]dns.RR, 4)
 		m.Answer[0] = test.CNAME("invent.example.org.		1781	IN	CNAME	leptone.example.org.")
 		m.Answer[1] = test.RRSIG("invent.example.org.		1781	IN	RRSIG	CNAME 8 3 1800 20201012085750 20200912082613 57411 example.org. ijSv5FmsNjFviBcOFwQgqjt073lttxTTNqkno6oMa3DD3kC+")
--- a/plugin/test/helpers.go
+++ b/plugin/test/helpers.go
@ -29,14 +29,15 @@ func (p RRSet) Less(i, j int) bool { return p[i].String() < p[j].String() }
 // Case represents a test case that encapsulates various data from a query and response.
 // Note that is the TTL of a record is 303 we don't compare it with the TTL.
 type Case struct {
-	Qname  string
+	Qname             string
-	Qtype  uint16
+	Qtype             uint16
-	Rcode  int
+	Rcode             int
-	Do     bool
+	Do                bool
-	Answer []dns.RR
+	AuthenticatedData bool
-	Ns     []dns.RR
+	Answer            []dns.RR
-	Extra  []dns.RR
+	Ns                []dns.RR
-	Error  error
+	Extra             []dns.RR
 	Error             error
 }
 // Msg returns a *dns.Msg embedded in c.