From f6c3b135222b5207d5bca4522dc938bf4d2e742e Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 27 Mar 2019 17:45:45 +0100
Subject: [PATCH 1/2] dnstap: if recursion is not available, log queries as AQ
 instead of CQ

(cherry picked from commit 1f578cdb1252575f097a83a831bdfb59d346ef09)
---
 bin/tests/system/dnstap/tests.sh | 24 ++++++++++++------------
 lib/ns/client.c                  |  8 +++++---
 2 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/bin/tests/system/dnstap/tests.sh b/bin/tests/system/dnstap/tests.sh
index 28e67f7c99..1396995026 100644
--- a/bin/tests/system/dnstap/tests.sh
+++ b/bin/tests/system/dnstap/tests.sh
@@ -145,16 +145,16 @@ status=`expr $status + $ret`
 
 echo_i "checking AUTH_QUERY message counts"
 ret=0
-[ $aq1 -eq 2 ] || {
-	echo_i "ns1 $aq1 exepcted 2"
+[ $aq1 -eq 3 ] || {
+	echo_i "ns1 $aq1 exepcted 3"
 	ret=1
 }
-[ $aq2 -eq 1 ] || {
-	echo_i "ns2 $aq2 expected 1"
+[ $aq2 -eq 2 ] || {
+	echo_i "ns2 $aq2 expected 2"
 	ret=1
 }
-[ $aq3 -eq 0 ] || {
-	echo_i "ns3 $aq3 expected 0"
+[ $aq3 -eq 1 ] || {
+	echo_i "ns3 $aq3 expected 1"
 	ret=1
 }
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -179,16 +179,16 @@ status=`expr $status + $ret`
 
 echo_i "checking CLIENT_QUERY message counts"
 ret=0
-[ $cq1 -eq 1 ] || {
-	echo_i "ns1 $cq1 expected 1"
+[ $cq1 -eq 0 ] || {
+	echo_i "ns1 $cq1 expected 0"
 	ret=1
 }
-[ $cq2 -eq 1 ] || {
-	echo_i "ns2 $cq2 expected 1"
+[ $cq2 -eq 0 ] || {
+	echo_i "ns2 $cq2 expected 0"
 	ret=1
 }
-[ $cq3 -eq 2 ] || {
-	echo_i "ns3 $cq3 expected 2"
+[ $cq3 -eq 1 ] || {
+	echo_i "ns3 $cq3 expected 1"
 	ret=1
 }
 if [ $ret != 0 ]; then echo_i "failed"; fi
diff --git a/lib/ns/client.c b/lib/ns/client.c
index 4a43fb6d32..0df4f64f71 100644
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -2789,8 +2789,9 @@ ns__client_request(isc_task_t *task, isc_event_t *event) {
 				     true) == ISC_R_SUCCESS)
 		ra = true;
 
-	if (ra == true)
+	if (ra == true) {
 		client->attributes |= NS_CLIENTATTR_RA;
+	}
 
 	ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT,
 		      ISC_LOG_DEBUG(3), ra ? "recursion available" :
@@ -2817,10 +2818,11 @@ ns__client_request(isc_task_t *task, isc_event_t *event) {
 	case dns_opcode_query:
 		CTRACE("query");
 #ifdef HAVE_DNSTAP
-		if ((client->message->flags & DNS_MESSAGEFLAG_RD) != 0)
+		if (ra && (client->message->flags & DNS_MESSAGEFLAG_RD) != 0) {
 			dtmsgtype = DNS_DTTYPE_CQ;
-		else
+		} else {
 			dtmsgtype = DNS_DTTYPE_AQ;
+		}
 
 		dns_dt_send(client->view, dtmsgtype, &client->peeraddr,
 			    &client->destsockaddr, TCP_CLIENT(client), NULL,

From ded4650794b6444c605851dbdf06ef0ec2b22c51 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 11 Apr 2019 15:20:46 -0700
Subject: [PATCH 2/2] CHANGES

---
 CHANGES | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGES b/CHANGES
index 9bd04956d6..466cdab47a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+5210.	[bug]		When dnstap is enabled and recursion is not
+			available, incoming queries are now logged
+			as "auth". Previously, this depended on whether
+			recursion was requested by the client, not on
+			whether recursion was available. [GL #963]
+
 5208.	[test]		Run valid rdata wire encodings through totext+fromtext
 			and tofmttext+fromtext methods to check these methods.
 			[GL #899]