From c92f0083a2276cfb68890febb872299b699463ac Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 25 Jan 2014 18:43:59 +0000
Subject: [PATCH] Get AA flag right in DNSSEC answers from cache.

---
 src/rfc1035.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/rfc1035.c b/src/rfc1035.c
index 3c88070..1453157 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1559,9 +1559,13 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 	  if (crecp)
 	    {
 	      if (qtype == T_RRSIG)
-		ans = gotone = 1;
+		{
+		  ans = gotone = 1;
+		  auth = 0;
+		}
 	      else if (qtype == T_DS)
 		{
+		  auth = 0;
 		  crecp = NULL;
 		  while ((crecp = cache_find_by_name(crecp, name, now, F_DS)))
 		    if (crecp->uid == qclass)
@@ -1587,6 +1591,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		    while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY)))
 		      if (crecp->uid == qclass)
 			{
+			  if (!(crecp->flags & F_CONFIG))
+			    auth = 0;
 			  ans = gotone = 1;
 			  if (!dryrun && (keydata = blockdata_retrieve(crecp->addr.key.keydata, crecp->addr.key.keylen, NULL)))
 			    {