From def6b33badb2ef286ece376c57db84250be163b2 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 13 Dec 2016 16:27:18 +1100
Subject: [PATCH] 4534.   [bug]           Only set RD, RA and CD in QUERY
 responses. [RT #43879]

---
 CHANGES                            | 2 ++
 bin/named/client.c                 | 3 ++-
 bin/tests/system/resolver/tests.sh | 8 +++++++-
 lib/dns/message.c                  | 5 ++++-
 4 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index f28b3af925..30afe3d3f9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+4534.	[bug]		Only set RD, RA and CD in QUERY responses. [RT #43879]
+
 4533.	[bug]		dns_client_update should terminate on prerequisite
 			failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET)
 			and also on BADZONE.  [RT #43865]
diff --git a/bin/named/client.c b/bin/named/client.c
index 4b2f4b0b50..1b6388e4b3 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1017,7 +1017,8 @@ client_send(ns_client_t *client) {
 
 	CTRACE("send");
 
-	if ((client->attributes & NS_CLIENTATTR_RA) != 0)
+	if (client->message->opcode == dns_opcode_query &&
+	    (client->attributes & NS_CLIENTATTR_RA) != 0)
 		client->message->flags |= DNS_MESSAGEFLAG_RA;
 
 	if ((client->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0)
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 2ca6eda6e2..3cd8c03435 100755
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -575,8 +575,14 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I:check that unexpected opcodes are handled correctly (${n})"
 ret=0
-$DIG soa all-cnames @10.53.0.5 -p 5300 +opcode=status > dig.out.ns5.test${n} || ret=1
+$DIG soa all-cnames @10.53.0.5 -p 5300 +opcode=15 +cd +rec +ad +zflag > dig.out.ns5.test${n} || ret=1
 grep "status: NOTIMP" dig.out.ns5.test${n} > /dev/null || ret=1
+grep "flags:[^;]* qr[; ]" dig.out.ns5.test${n} > /dev/null || ret=1
+grep "flags:[^;]* ra[; ]" dig.out.ns5.test${n} > /dev/null && ret=1
+grep "flags:[^;]* rd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1
+grep "flags:[^;]* cd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1
+grep "flags:[^;]* ad[; ]" dig.out.ns5.test${n} > /dev/null && ret=1
+grep "flags:[^;]*; MBZ: " dig.out.ns5.test${n} > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
diff --git a/lib/dns/message.c b/lib/dns/message.c
index c5d6ca22e2..4df8a154fb 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -2591,7 +2591,10 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
 	 * We now clear most flags and then set QR, ensuring that the
 	 * reply's flags will be in a reasonable state.
 	 */
-	msg->flags &= DNS_MESSAGE_REPLYPRESERVE;
+	if (msg->opcode == dns_opcode_query)
+		msg->flags &= DNS_MESSAGE_REPLYPRESERVE;
+	else
+		msg->flags = 0;
 	msg->flags |= DNS_MESSAGEFLAG_QR;
 
 	/*