resolved: Don't omit AD bit in reply if DO is set in the query

Set the AD bit in the response if the data is authenticated and AD or DO is set in the query, as suggested by section 5.8 of RFC6840. Fixes #20332
2026-04-14 00:14:32 +09:00 · 2021-08-03 08:07:05 +02:00
parent d84f316cce
commit b553abd8ae
1 changed files with 2 additions and 2 deletions
--- a/src/resolve/resolved-dns-stub.c
+++ b/src/resolve/resolved-dns-stub.c
@@ -585,7 +585,7 @@ static int dns_stub_send_reply(
                        DNS_PACKET_RD(q->request_packet),
                        !!q->request_packet->opt,
                        edns0_do,
-                        DNS_PACKET_AD(q->request_packet) && dns_query_fully_authenticated(q),
+                        (DNS_PACKET_AD(q->request_packet) || DNS_PACKET_DO(q->request_packet)) && dns_query_fully_authenticated(q),
                        DNS_PACKET_CD(q->request_packet),
                        q->stub_listener_extra ? ADVERTISE_EXTRA_DATAGRAM_SIZE_MAX : ADVERTISE_DATAGRAM_SIZE_MAX,
                        dns_packet_has_nsid_request(q->request_packet) > 0 && !q->stub_listener_extra);
@@ -627,7 +627,7 @@ static int dns_stub_send_failure(
                        DNS_PACKET_RD(p),
                        !!p->opt,
                        DNS_PACKET_DO(p),
-                        DNS_PACKET_AD(p) && authenticated,
+                        (DNS_PACKET_AD(p) || DNS_PACKET_DO(p)) && authenticated,
                        DNS_PACKET_CD(p),
                        l ? ADVERTISE_EXTRA_DATAGRAM_SIZE_MAX : ADVERTISE_DATAGRAM_SIZE_MAX,
                        dns_packet_has_nsid_request(p) > 0 && !l);