2022. [bug] If dnssec validation is disabled only assert CD if

CD was requested. [RT #16037]

2021.   [bug]           dnssec-enable no; triggered a REQUIRE. [RT #16037]

CHANGES

@@ -1,3 +1,8 @@
+2022.	[bug]		If dnssec validation is disabled only assert CD if
+			CD was requested. [RT #16037]
+
+2021.	[bug]		dnssec-enable no; triggered a REQUIRE. [RT #16037]
+
 2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]
 
 2019.	[tuning]	Reduce the amount of work performed per quantum

lib/dns/resolver.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.330 2006/03/09 23:21:54 marka Exp $ */
+/* $Id: resolver.c,v 1.331 2006/05/18 00:51:02 marka Exp $ */
 
 /*! \file */
 
@@ -1284,7 +1284,9 @@ resquery_send(resquery_t *query) {
 	 * Set CD if the client says don't validate or the question is
 	 * under a secure entry point.
 	 */
-	if ((query->options & DNS_FETCHOPT_NOVALIDATE) == 0) {
+	if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
+		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
+	} else if (res->view->enablevalidation) {
 		result = dns_keytable_issecuredomain(res->view->secroots,
 						     &fctx->name,
 						     &secure_domain);
@@ -1294,8 +1296,7 @@ resquery_send(resquery_t *query) {
 			secure_domain = ISC_TRUE;
 		if (secure_domain)
 			fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
-	} else
-		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
+	}
 
 	/*
 	 * We don't have to set opcode because it defaults to query.