1 files changed, 28 insertions, 5 deletions

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index a5d7c2500f8fa..3b90af4400c32 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.384.14.14 2009/06/02 23:47:13 tbox Exp $ */
+/* $Id: resolver.c,v 1.384.14.14.8.1 2009/11/18 23:58:04 marka Exp $ */
 
 /*! \file */
 
@@ -4293,6 +4293,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 		 * for it, unless it is glue.
 		 */
 		if (secure_domain && rdataset->trust != dns_trust_glue) {
+			dns_trust_t trust;
 			/*
 			 * RRSIGs are validated as part of validating the
 			 * type they cover.
@@ -4329,12 +4330,34 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 			}
 
 			/*
+			 * Reject out of bailiwick additional records
+			 * without RRSIGs as they can't possibly validate
+			 * as "secure" and as we will never never want to
+			 * store these as "answers" after validation.
+			 */
+			if (rdataset->trust == dns_trust_additional &&
+			    sigrdataset == NULL && EXTERNAL(rdataset))
+				continue;
+				
+			/*
+                         * XXXMPA: If we store as "answer" after validating
+                         * then we need to do bailiwick processing and
+                         * also need to track whether RRsets are in or
+                         * out of bailiwick.  This will require a another 
+                         * pending trust level.
+                         *
 			 * Cache this rdataset/sigrdataset pair as
-			 * pending data.
+			 * pending data.  Track whether it was additional
+			 * or not.
 			 */
-			rdataset->trust = dns_trust_pending;
+			if (rdataset->trust == dns_trust_additional)
+				trust = dns_trust_pending_additional;
+			else
+				trust = dns_trust_pending_answer;
+
+			rdataset->trust = trust;
 			if (sigrdataset != NULL)
-				sigrdataset->trust = dns_trust_pending;
+				sigrdataset->trust = trust;
 			if (!need_validation || !ANSWER(rdataset)) {
 				addedrdataset = ardataset;
 				result = dns_db_addrdataset(fctx->cache, node,
@@ -4682,7 +4705,7 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 			for (trdataset = ISC_LIST_HEAD(tname->list);
 			     trdataset != NULL;
 			     trdataset = ISC_LIST_NEXT(trdataset, link))
-				trdataset->trust = dns_trust_pending;
+				trdataset->trust = dns_trust_pending_answer;
 			result = dns_message_nextname(fctx->rmessage,
 						      DNS_SECTION_AUTHORITY);
 		}