Fix logic error in signed RR handling.

In extract_addresses() the "secure" argument is only set if the
whole reply is validated (ie the AD bit can be set). Even without
that, some records may be validated, and should be marked
as such in the cache.

Related, the DNS doctor code has to update the flags for individual
RRs as it works, not the global "secure" flag.

src/forward.c

@@ -814,28 +814,38 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
 	    }
 	}
       
-      if (do_doctor(header, n))
-	cache_secure = 0;
-
-      switch (extract_addresses(header, n, daemon->namebuff, now, ipsets, nftsets, is_sign, check_rebind, no_cache, cache_secure))
+      if (!bogusanswer)
 	{
-	case 1:
-	  my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
-	  munged = 1;
-	  cache_secure = 0;
-	  ede = EDE_BLOCKED;
-	  break;
+	  if (daemon->doctors && !do_doctor(header, n))
+	    {
+	      /* do_doctors found malformed answer. */
+	      munged = 1;
+	      SET_RCODE(header, SERVFAIL);
+	      cache_secure = 0;
+	      ede = EDE_OTHER;
+	    }
 	  
-	  /* extract_addresses() found a malformed answer. */
-	case 2:
-	  munged = 1;
-	  SET_RCODE(header, SERVFAIL);
-	  cache_secure = 0;
-	  ede = EDE_OTHER;
-	  break;
+	  if (RCODE(header) != SERVFAIL)
+	    switch (extract_addresses(header, n, daemon->namebuff, now, ipsets, nftsets, is_sign, check_rebind, no_cache, cache_secure))
+	      {
+	      case 1:
+		my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
+		munged = 1;
+		cache_secure = 0;
+		ede = EDE_BLOCKED;
+		break;
+		
+		/* extract_addresses() found a malformed answer. */
+	      case 2:
+		munged = 1;
+		SET_RCODE(header, SERVFAIL);
+		cache_secure = 0;
+		ede = EDE_OTHER;
+		break;
+	      }
 	}
-
-      if (rcode == NOERROR && rrfilter(header, &n, RRFILTER_CONF) > 0) 
+      
+      if (RCODE(header) == NOERROR && rrfilter(header, &n, RRFILTER_CONF) > 0) 
 	ede = EDE_FILTERED;
     }