From 674fdd5e3968de514d6bd1c12134797fe63851a0 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 27 Aug 2007 11:26:03 +0000
Subject: [PATCH] send recursive queries to test cache drop off.

git-svn-id: file:///svn/unbound/trunk@549 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 daemon/worker.c          | 35 +++++++++++++++++++++++++++++++++--
 doc/Changelog            |  2 ++
 testdata/fwd_lrudrop.rpl |  3 +++
 3 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/daemon/worker.c b/daemon/worker.c
index 432e04013..2f0057a43 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -311,14 +311,42 @@ check_delegation_secure(struct reply_info *rep)
 	size_t i;
 	enum sec_status sec = sec_status_secure;
 	enum sec_status s;
-	for(i=0; i<rep->rrset_count; i++) {
+	size_t num = rep->an_numrrsets + rep->ns_numrrsets;
+	/* check if answer and authority are OK */
+	for(i=0; i<num; i++) {
 		s = ((struct packed_rrset_data*)rep->rrsets[i])->security;
 		if(s < sec)
 			sec = s;
 	}
+	/* in additional, only unchecked triggers revalidation */
+	for(i=num; i<rep->rrset_count; i++) {
+		s = ((struct packed_rrset_data*)rep->rrsets[i])->security;
+		if(s == sec_status_unchecked)
+			return s;
+	}
 	return sec;
 }
 
+/** remove nonsecure from a delegation referral additional section */
+static void
+deleg_remove_nonsecure_additional(struct reply_info* rep)
+{
+	/* we can simply edit it, since we are working in the scratch region */
+	size_t i;
+	enum sec_status s;
+
+	for(i = rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
+		s = ((struct packed_rrset_data*)rep->rrsets[i])->security;
+		if(s != sec_status_secure) {
+			memmove(rep->rrsets+i, rep->rrsets+i+1, 
+				sizeof(struct ub_packed_rrset_key*)* 
+				(rep->rrset_count - i - 1));
+			rep->ar_numrrsets--; 
+			rep->rrset_count--;
+		}
+	}
+}
+
 /** answer nonrecursive query from the cache */
 static int
 answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
@@ -367,6 +395,9 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 			return 1;
 		case sec_status_secure:
 			/* all rrsets are secure */
+			/* remove non-secure rrsets from the add. section*/
+			if(worker->env.cfg->val_clean_additional)
+				deleg_remove_nonsecure_additional(msg->rep);
 			secure = 1;
 			break;
 		case sec_status_indeterminate:
@@ -384,7 +415,7 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 	edns->bits &= EDNS_DO;
 	msg->rep->flags |= BIT_QR|BIT_RA;
 	if(!reply_info_answer_encode(&msg->qinfo, msg->rep, id, flags, 
-		repinfo->c->buffer, timenow, 1, worker->scratchpad,
+		repinfo->c->buffer, 0, 1, worker->scratchpad,
 		udpsize, edns, (int)(edns->bits & EDNS_DO), secure)) {
 		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
 			&msg->qinfo, id, flags, edns);
diff --git a/doc/Changelog b/doc/Changelog
index a520ece18..9bf81ad68 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,8 @@
 27 August 2007: Wouter
 	- do not garble the edns if a cache answer fails.
 	- answer norecursive from cache if possible.
+	- honor clean_additional setting when returning secure non-recursive
+	  referrals.
 
 24 August 2007: Wouter
 	- message is bogus if unsecure authority rrsets are present.
diff --git a/testdata/fwd_lrudrop.rpl b/testdata/fwd_lrudrop.rpl
index 57b0de83f..31b26748f 100644
--- a/testdata/fwd_lrudrop.rpl
+++ b/testdata/fwd_lrudrop.rpl
@@ -11,6 +11,7 @@ SCENARIO_BEGIN Old answer is dropped from the cache
 
 STEP 1 QUERY
 ENTRY_BEGIN
+	REPLY RD
 	SECTION QUESTION
 	www.example.com. IN A
 ENTRY_END
@@ -47,6 +48,7 @@ ENTRY_END
 ; another query to force the cache to drop the example.com entry.
 STEP 11 QUERY
 ENTRY_BEGIN
+	REPLY RD
 	SECTION QUESTION
 	www.example.net. IN A
 ENTRY_END
@@ -84,6 +86,7 @@ ENTRY_END
 ; query, same as first, but it fell out of the cache.
 STEP 21 QUERY
 ENTRY_BEGIN
+	REPLY RD
 	SECTION QUESTION
 	www.example.com. IN A
 ENTRY_END