Merge branch 'master' into rrl-wip

17 files changed, 334 insertions, 102 deletions

diff --git a/lib/README.rst b/lib/README.rst
index b631fe7b..f2463d4a 100644
--- a/lib/README.rst
+++ b/lib/README.rst
@@ -4,11 +4,6 @@
 Knot Resolver library
 *********************
 
-Requirements
-============
-
-* libknot_ 2.0 (Knot DNS high-performance DNS library.)
-
 For users
 =========
 
diff --git a/lib/cache/api.c b/lib/cache/api.c
index 0cd18534..046dae20 100644
--- a/lib/cache/api.c
+++ b/lib/cache/api.c
@@ -237,9 +237,7 @@ int32_t get_new_ttl(const struct entry_h *entry, const struct kr_query *qry,
 		int res_stale = qry->stale_cb(res, owner, type, qry);
 		if (res_stale >= 0) {
 			VERBOSE_MSG(qry, "responding with stale answer\n");
-			/* LATER: Perhaps we could use a more specific Stale
-			 * NXDOMAIN Answer code for applicable responses. */
-			kr_request_set_extended_error(qry->request, KNOT_EDNS_EDE_STALE, "6Q6X");
+			qry->request->stale_accounted = true;
 			return res_stale;
 		}
 	}
diff --git a/lib/cache/peek.c b/lib/cache/peek.c
index d12031fc..46a4868c 100644
--- a/lib/cache/peek.c
+++ b/lib/cache/peek.c
@@ -214,6 +214,7 @@ int peek_nosync(kr_layer_t *ctx, knot_pkt_t *pkt)
 
 	/* Try the NSEC* parameters in order, until success.
 	 * Let's not mix different parameters for NSEC* RRs in a single proof. */
+	bool is_synthesized = false;
 	for (int i = 0; ;) {
 		int32_t log_new_ttl = -123456789; /* visually recognizable value */
 		ret = nsec_p_ttl(el[i], qry->timestamp.tv_sec, &log_new_ttl);
@@ -234,6 +235,7 @@ int peek_nosync(kr_layer_t *ctx, knot_pkt_t *pkt)
 		/**** 2. and 3. inside */
 		ret = peek_encloser(k, &ans, sname_labels,
 					lowest_rank, qry, cache);
+		is_synthesized = (ret == 0);
 		nsec_p_cleanup(&ans.nsec_p);
 		if (!ret) break;
 		if (ret < 0) return ctx->state;
@@ -316,6 +318,10 @@ int peek_nosync(kr_layer_t *ctx, knot_pkt_t *pkt)
 	qf->CACHED = true;
 	qf->NO_MINIMIZE = true;
 
+	if (is_synthesized && qry == req->rplan.initial) {
+		kr_request_set_extended_error(req, KNOT_EDNS_EDE_SYNTHESIZED,
+				"2NEP: synthesized from aggressive cache");
+	}
 	return KR_STATE_DONE;
 }
 
diff --git a/lib/dnssec.c b/lib/dnssec.c
index 77cec796..169ce2bf 100644
--- a/lib/dnssec.c
+++ b/lib/dnssec.c
@@ -63,6 +63,10 @@ static int validate_rrsig_rr(int *flags, int cov_labels,
 	if (kr_fails_assert(flags && rrsigs && vctx && vctx->zone_name)) {
 		return kr_error(EINVAL);
 	}
+	if (knot_rrsig_sig_expiration(rrsigs) < knot_rrsig_sig_inception(rrsigs)) {
+		vctx->rrs_counters.expired_before_inception++;
+		return kr_error(EINVAL);
+	}
 	/* bullet 5 */
 	if (knot_rrsig_sig_expiration(rrsigs) < vctx->timestamp) {
 		vctx->rrs_counters.expired++;
@@ -435,26 +439,32 @@ finish:
 	return vctx->result;
 }
 
-bool kr_ds_algo_support(const knot_rrset_t *ta)
+int kr_ds_algo_support(const knot_rrset_t *ta)
 {
 	if (kr_fails_assert(ta && ta->type == KNOT_RRTYPE_DS && ta->rclass == KNOT_CLASS_IN))
-		return false;
+		return kr_error(EINVAL);
 	/* Check if at least one DS has a usable algorithm pair. */
+	int ret = kr_error(ENOENT);
 	knot_rdata_t *rdata_i = ta->rrs.rdata;
 	for (uint16_t i = 0; i < ta->rrs.count;
 			++i, rdata_i = knot_rdataset_next(rdata_i)) {
-		if (dnssec_algorithm_digest_support(knot_ds_digest_type(rdata_i))
-		    && dnssec_algorithm_key_support(knot_ds_alg(rdata_i))) {
-			return true;
-		}
+		if (dnssec_algorithm_digest_support(knot_ds_digest_type(rdata_i))) {
+			if (dnssec_algorithm_key_support(knot_ds_alg(rdata_i)))
+				return kr_ok();
+			else
+				ret = DNSSEC_INVALID_KEY_ALGORITHM;
+		} else
+			ret = DNSSEC_INVALID_DIGEST_ALGORITHM;
 	}
-	return false;
+	return ret;
 }
 
-// Now we instantiate these two as non-inline externally linkable code here (for lua).
+// Now we instantiate these three as non-inline externally linkable code here (for lua).
 KR_EXPORT extern inline KR_PURE
 bool kr_dnssec_key_sep_flag(const uint8_t *dnskey_rdata);
 KR_EXPORT extern inline KR_PURE
+bool kr_dnssec_key_zonekey_flag(const uint8_t *dnskey_rdata);
+KR_EXPORT extern inline KR_PURE
 bool kr_dnssec_key_revoked(const uint8_t *dnskey_rdata);
 
 int kr_dnskeys_trusted(kr_rrset_validation_ctx_t *vctx, const knot_rdataset_t *sigs,
diff --git a/lib/dnssec.h b/lib/dnssec.h
index 52465042..b9f854d0 100644
--- a/lib/dnssec.h
+++ b/lib/dnssec.h
@@ -56,8 +56,9 @@ struct kr_rrset_validation_ctx {
 	const struct kr_query *log_qry; /*!< The query; just for logging purposes. */
 	struct {
 		unsigned int matching_name_type;	/*!< Name + type matches */
-		unsigned int expired;
-		unsigned int notyet;
+		unsigned int expired;			/*!< Number of expired signatures */
+		unsigned int notyet;			/*!< Number of signatures not yet valid (inception > now) */
+		unsigned int expired_before_inception;	/*!< Number of signatures already expired before inception time */
 		unsigned int signer_invalid;		/*!< Signer is not zone apex */
 		unsigned int labels_invalid;		/*!< Number of labels in RRSIG */
 		unsigned int key_invalid;		/*!< Algorithm/keytag/key owner */
@@ -78,10 +79,17 @@ typedef struct kr_rrset_validation_ctx kr_rrset_validation_ctx_t;
 int kr_rrset_validate(kr_rrset_validation_ctx_t *vctx, knot_rrset_t *covered);
 
 /**
- * Return true iff the RRset contains at least one usable DS.  See RFC6840 5.2.
+ * Check whether the RRset contains at least one usable DS.
+ *
+ * See RFC6840 5.2.
+ * @param ta    Pointer to TA RRSet.
+ * @return      kr_ok() if at least one DS is supported
+ *              DNSSEC_INVALID_KEY_ALGORITHM if all DSes are not supported, because of their key algorithm
+ *              DNSSEC_INVALID_DIGEST_ALGORITHM if all DSes are not supported, because of their digest algorithm
+ * @note        Given that entries are iterated until a supported DS is found, the error refers to the last one.
  */
 KR_EXPORT KR_PURE
-bool kr_ds_algo_support(const knot_rrset_t *ta);
+int kr_ds_algo_support(const knot_rrset_t *ta);
 
 /**
  * Check whether the DNSKEY rrset matches the supplied trust anchor RRSet.
@@ -97,13 +105,20 @@ int kr_dnskeys_trusted(kr_rrset_validation_ctx_t *vctx, const knot_rdataset_t *s
 // flags: https://www.iana.org/assignments/dnskey-flags/dnskey-flags.xhtml
 //        https://datatracker.ietf.org/doc/html/rfc4034#section-2.1
 
-/** Return true if the DNSKEY has the SEP flag (normally ignored). */
+/** Return true if the DNSKEY has the SEP flag/bit set (normally ignored). */
 KR_EXPORT inline KR_PURE
 bool kr_dnssec_key_sep_flag(const uint8_t *dnskey_rdata)
 {
 	return dnskey_rdata[1] & 0x01;
 }
 
+/** Return true if the DNSKEY has the Zone Key flag/bit set. */
+KR_EXPORT inline KR_PURE
+bool kr_dnssec_key_zonekey_flag(const uint8_t *dnskey_rdata)
+{
+	return dnskey_rdata[0] & 0x01;
+}
+
 /** Return true if the DNSKEY is revoked. */
 KR_EXPORT inline KR_PURE
 bool kr_dnssec_key_revoked(const uint8_t *dnskey_rdata)
@@ -111,11 +126,14 @@ bool kr_dnssec_key_revoked(const uint8_t *dnskey_rdata)
 	return dnskey_rdata[1] & 0x80;
 }
 
-/** Return true if the DNSKEY could be used to validate zone records. */
+/**
+ * Return true if the DNSKEY could be used to validate zone records, meaning
+ * it correctly has the Zone Key flag/bit set to 1 and it is not revoked.
+ */
 static inline KR_PURE
 bool kr_dnssec_key_usable(const uint8_t *dnskey_rdata)
 {
-	return (dnskey_rdata[0] & 0x01) && !kr_dnssec_key_revoked(dnskey_rdata);
+	return kr_dnssec_key_zonekey_flag(dnskey_rdata) && !kr_dnssec_key_revoked(dnskey_rdata);
 }
 
 /** Return DNSKEY tag.
diff --git a/lib/generic/array.h b/lib/generic/array.h
index 9bea546b..eb1f7bc2 100644
--- a/lib/generic/array.h
+++ b/lib/generic/array.h
@@ -122,7 +122,7 @@ static inline void array_std_free(void *baton, void *p)
  * @return element index on success, <0 on failure
  */
 #define array_push_mm(array, val, reserve, baton) \
-	(int)((array).len < (array).cap ? ((array).at[(array).len] = (val), (array).len++) \
+	(ssize_t)((array).len < (array).cap ? ((array).at[(array).len] = (val), (array).len++) \
 		: (array_reserve_mm(array, ((array).cap + 1), reserve, baton) < 0 ? -1 \
 			: ((array).at[(array).len] = (val), (array).len++)))
 
diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index 69fe344c..3cc641cd 100644
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -922,14 +922,15 @@ static int begin(kr_layer_t *ctx)
 	}
 
 	struct kr_query *qry = ctx->req->current_query;
-	/* Avoid any other classes, and avoid any meta-types ~~except for ANY~~. */
-	if (qry->sclass != KNOT_CLASS_IN
-	    || (knot_rrtype_is_metatype(qry->stype)
-		    /* && qry->stype != KNOT_RRTYPE_ANY hmm ANY seems broken ATM */)) {
+	/* Avoid any other classes, and avoid any meta-types. */
+	if (qry->sclass != KNOT_CLASS_IN || knot_rrtype_is_metatype(qry->stype)) {
 		knot_pkt_t *ans = kr_request_ensure_answer(ctx->req);
-		if (!ans) return ctx->req->state;
+		if (!ans)
+			return ctx->req->state;
+		/* This RCODE is explicitly suggested for meta QTYPEs in RFC 8906 sec.7 */
 		knot_wire_set_rcode(ans->wire, KNOT_RCODE_NOTIMPL);
-		return KR_STATE_FAIL;
+		kr_request_set_extended_error(ctx->req, KNOT_EDNS_EDE_NOTSUP, "57CK");
+		return KR_STATE_DONE;
 	}
 
 	return reset(ctx);
diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index af20b2e4..321b0a25 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -12,6 +12,7 @@
 #include <libknot/rrtype/rdname.h>
 #include <libknot/rrtype/rrsig.h>
 #include <libdnssec/error.h>
+#include <libdnssec/key.h>
 
 #include "lib/dnssec/nsec.h"
 #include "lib/dnssec/nsec3.h"
@@ -137,6 +138,7 @@ do_downgrade: // we do this deep inside calls because of having signer name avai
 	VERBOSE_MSG(qry,
 		"<= DNSSEC downgraded due to expensive NSEC3: %d iterations, %d salt length\n",
 		(int)knot_nsec3_iters(rd), (int)knot_nsec3_salt_len(rd));
+	kr_request_set_extended_error(qry->request, KNOT_EDNS_EDE_NSEC3_ITERS, "AUO2");
 	qry->flags.DNSSEC_WANT = false;
 	qry->flags.DNSSEC_INSECURE = true;
 	rank_records(qry, true, KR_RANK_INSECURE, vctx->zone_name);
@@ -242,7 +244,9 @@ static int validate_section(kr_rrset_validation_ctx_t *vctx, struct kr_query *qr
 		} else {
 			kr_rank_set(&entry->rank, KR_RANK_BOGUS);
 			vctx->err_cnt += 1;
-			if (vctx->rrs_counters.expired > 0)
+			if (vctx->rrs_counters.expired_before_inception > 0)
+				kr_request_set_extended_error(req, KNOT_EDNS_EDE_EXPIRED_INV, "XXAP");
+			else if (vctx->rrs_counters.expired > 0)
 				kr_request_set_extended_error(req, KNOT_EDNS_EDE_SIG_EXPIRED, "YFJ2");
 			else if (vctx->rrs_counters.notyet > 0)
 				kr_request_set_extended_error(req, KNOT_EDNS_EDE_SIG_NOTYET, "UBBS");
@@ -368,7 +372,12 @@ static int validate_keyset(struct kr_request *req, knot_pkt_t *answer, bool has_
 			}
 		}
 		if (sig_index < 0) {
-			kr_request_set_extended_error(req, KNOT_EDNS_EDE_RRSIG_MISS, "EZDC");
+			if (!kr_dnssec_key_zonekey_flag(qry->zone_cut.key->rrs.rdata->data)) {
+				kr_request_set_extended_error(req, KNOT_EDNS_EDE_DNSKEY_BIT, "YQEH");
+			} else {
+				kr_request_set_extended_error(req, KNOT_EDNS_EDE_RRSIG_MISS,
+							"EZDC: no valid RRSIGs for DNSKEY");
+			}
 			return kr_error(ENOENT);
 		}
 		const knot_rdataset_t *sig_rds = &req->answ_selected.at[sig_index]->rr->rrs;
@@ -395,15 +404,49 @@ static int validate_keyset(struct kr_request *req, knot_pkt_t *answer, bool has_
 				ret == 0 ? KR_RANK_SECURE : KR_RANK_BOGUS);
 
 		if (ret != 0) {
-			log_bogus_rrsig(&vctx, qry->zone_cut.key, "bogus key");
-			knot_rrset_free(qry->zone_cut.key, qry->zone_cut.pool);
-			qry->zone_cut.key = NULL;
-			if (vctx.rrs_counters.expired > 0)
+			const knot_rdataset_t *ds = &qry->zone_cut.trust_anchor->rrs;
+			int sep_keytag = kr_dnssec_key_tag(KNOT_RRTYPE_DS, ds->rdata->data, ds->rdata->len);
+			int dnskey_keytag = -1;
+			bool have_zone_key_bit = true, dnskey_algo_supported = true;
+			knot_rdata_t *rdata_sep = NULL, *rdata_i = qry->zone_cut.key->rrs.rdata;
+			for (uint8_t i = 0; i < qry->zone_cut.key->rrs.count;
+			    ++i, rdata_i = knot_rdataset_next(rdata_i)) {
+				if (dnskey_keytag != sep_keytag) {
+					dnskey_keytag = kr_dnssec_key_tag(KNOT_RRTYPE_DNSKEY, rdata_i->data, rdata_i->len);
+					rdata_sep = rdata_i;
+				}
+
+				if (!kr_dnssec_key_zonekey_flag(rdata_i->data))
+					have_zone_key_bit = false;
+
+				if (!dnssec_algorithm_key_support(knot_dnskey_alg(rdata_i)))
+					dnskey_algo_supported = false;
+			}
+			bool sep_matches_tag_algo = rdata_sep && sep_keytag == dnskey_keytag &&
+				knot_ds_alg(ds->rdata) == knot_dnskey_alg(rdata_sep);
+
+			if (!have_zone_key_bit)
+				kr_request_set_extended_error(req, KNOT_EDNS_EDE_DNSKEY_BIT, "CYNG");
+			else if (!sep_matches_tag_algo)
+				kr_request_set_extended_error(req, KNOT_EDNS_EDE_DNSKEY_MISS, "NMJZ: no matching SEP");
+			else if (kr_dnssec_key_revoked(rdata_sep->data))
+				kr_request_set_extended_error(req, KNOT_EDNS_EDE_DNSKEY_MISS, "DGVI: DNSKEY matching SEP has the Revoke bit set");
+			else if (!dnskey_algo_supported)
+				kr_request_set_extended_error(req, KNOT_EDNS_EDE_DNSKEY_ALG, "H6OO");
+			else if (vctx.rrs_counters.matching_name_type == 0 && vctx.rrs_counters.key_invalid > 0)
+				kr_request_set_extended_error(req, KNOT_EDNS_EDE_RRSIG_MISS, "7N4Z: no valid RRSIGs for DNSKEY");
+			else if (vctx.rrs_counters.expired_before_inception > 0)
+				kr_request_set_extended_error(req, KNOT_EDNS_EDE_EXPIRED_INV, "4UBF");
+			else if (vctx.rrs_counters.expired > 0)
 				kr_request_set_extended_error(req, KNOT_EDNS_EDE_SIG_EXPIRED, "6GJV");
 			else if (vctx.rrs_counters.notyet > 0)
 				kr_request_set_extended_error(req, KNOT_EDNS_EDE_SIG_NOTYET, "4DJQ");
 			else
 				kr_request_set_extended_error(req, KNOT_EDNS_EDE_BOGUS, "EXRU");
+
+			log_bogus_rrsig(&vctx, qry->zone_cut.key, "bogus key");
+			knot_rrset_free(qry->zone_cut.key, qry->zone_cut.pool);
+			qry->zone_cut.key = NULL;
 			return ret;
 		}
 
@@ -1137,7 +1180,7 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
 			count += (knot_pkt_rr(sec, i)->type == KNOT_RRTYPE_NSEC3);
 		if (count > 8) {
 			VERBOSE_MSG(qry, "<= too many NSEC3 records in AUTHORITY (%d)\n", count);
-			kr_request_set_extended_error(req, 27/*KNOT_EDNS_EDE_NSEC3_ITERS*/,
+			kr_request_set_extended_error(req, KNOT_EDNS_EDE_NSEC3_ITERS,
 				/* It's not about iteration values per se, but close enough. */
 				"DYRH: too many NSEC3 records");
 			qry->flags.DNSSEC_BOGUS = true;
@@ -1147,10 +1190,19 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
 
 	if (knot_wire_get_aa(pkt->wire) && qtype == KNOT_RRTYPE_DNSKEY) {
 		const knot_rrset_t *ds = qry->zone_cut.trust_anchor;
-		if (ds && !kr_ds_algo_support(ds)) {
-			VERBOSE_MSG(qry, ">< all DS entries use unsupported algorithm pairs, going insecure\n");
-			/* ^ the message is a bit imprecise to avoid being too verbose */
-			kr_request_set_extended_error(req, KNOT_EDNS_EDE_OTHER, "LSLC: unsupported digest/key");
+		ret = ds ? kr_ds_algo_support(ds) : kr_ok();
+		if (ret != kr_ok()) {
+			char *reason = "???";
+			if (ret == DNSSEC_INVALID_KEY_ALGORITHM) {
+				reason = "key";
+				kr_request_set_extended_error(req, KNOT_EDNS_EDE_DNSKEY_ALG, "PBAO");
+			} else if (ret == DNSSEC_INVALID_DIGEST_ALGORITHM) {
+				reason = "digest";
+				kr_request_set_extended_error(req, KNOT_EDNS_EDE_DS_DIGEST, "DDDV");
+			}
+			VERBOSE_MSG(qry,
+				">< all DS entries are unsupported (last error: %s algorithm), going insecure\n",
+				reason);
 			qry->flags.DNSSEC_WANT = false;
 			qry->flags.DNSSEC_INSECURE = true;
 			rank_records(qry, true, KR_RANK_INSECURE, qry->zone_cut.name);
@@ -1320,37 +1372,6 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
 	VERBOSE_MSG(qry, "<= answer valid, OK\n");
 	return KR_STATE_DONE;
 }
-
-/** Hide RRsets which did not validate from clients. */
-static int hide_bogus(kr_layer_t *ctx) {
-	if (knot_wire_get_cd(ctx->req->qsource.packet->wire)) {
-		return ctx->state;
-	}
-	/* We don't want to send bogus answers to clients, not even in SERVFAIL
-	 * answers, but we cannot drop whole sections. If a CNAME chain
-	 * SERVFAILs somewhere, the steps that were OK should be put into
-	 * answer.
-	 *
-	 * There is one specific issue: currently we follow CNAME *before*
-	 * we validate it, because... iterator comes before validator.
-	 * Therefore some rrsets might be added into req->*_selected before
-	 * we detected failure in validator.
-	 * TODO: better approach, probably during work on parallel queries.
-	 */
-	const ranked_rr_array_t *sel[] = kr_request_selected(ctx->req);
-	for (knot_section_t sect = KNOT_ANSWER; sect <= KNOT_ADDITIONAL; ++sect) {
-		for (size_t i = 0; i < sel[sect]->len; ++i) {
-			ranked_rr_array_entry_t *e = sel[sect]->at[i];
-			e->to_wire = e->to_wire
-				&& !kr_rank_test(e->rank, KR_RANK_INDET)
-				&& !kr_rank_test(e->rank, KR_RANK_BOGUS)
-				&& !kr_rank_test(e->rank, KR_RANK_MISMATCH)
-				&& !kr_rank_test(e->rank, KR_RANK_MISSING);
-		}
-	}
-	return ctx->state;
-}
-
 static int validate_wrapper(kr_layer_t *ctx, knot_pkt_t *pkt) {
 	// Wrapper for now.
 	int ret = validate(ctx, pkt);
@@ -1358,25 +1379,64 @@ static int validate_wrapper(kr_layer_t *ctx, knot_pkt_t *pkt) {
 	struct kr_query *qry = req->current_query;
 	if (ret & KR_STATE_FAIL && qry->flags.DNSSEC_BOGUS)
 		qry->server_selection.error(qry, req->upstream.transport, KR_SELECTION_DNSSEC_ERROR);
-	if (ret & KR_STATE_DONE && !qry->flags.DNSSEC_BOGUS) {
-		/* Don't report extended DNS errors related to validation
-		 * when it managed to succeed (e.g. by trying different auth). */
-		switch (req->extended_error.info_code) {
+	return ret;
+}
+
+/**
+ * Hide RRsets which did not validate from clients and clear Extended
+ * Error if a query failed validation, but later managed to succeed.
+ */
+static int validate_finalize(kr_layer_t *ctx) {
+	if (!knot_wire_get_cd(ctx->req->qsource.packet->wire)) {
+		/* We don't want to send bogus answers to clients, not even in SERVFAIL
+		 * answers, but we cannot drop whole sections. If a CNAME chain
+		 * SERVFAILs somewhere, the steps that were OK should be put into
+		 * answer.
+		 *
+		 * There is one specific issue: currently we follow CNAME *before*
+		 * we validate it, because... iterator comes before validator.
+		 * Therefore some rrsets might be added into req->*_selected before
+		 * we detected failure in validator.
+		 * TODO: better approach, probably during work on parallel queries.
+		 */
+		const ranked_rr_array_t *sel[] = kr_request_selected(ctx->req);
+		for (knot_section_t sect = KNOT_ANSWER; sect <= KNOT_ADDITIONAL; ++sect) {
+			for (size_t i = 0; i < sel[sect]->len; ++i) {
+				ranked_rr_array_entry_t *e = sel[sect]->at[i];
+				e->to_wire = e->to_wire
+					&& !kr_rank_test(e->rank, KR_RANK_INDET)
+					&& !kr_rank_test(e->rank, KR_RANK_BOGUS)
+					&& !kr_rank_test(e->rank, KR_RANK_MISMATCH)
+					&& !kr_rank_test(e->rank, KR_RANK_MISSING);
+			}
+		}
+	}
+
+	/* Clear DNSSEC-related Extended Error in case the request managed to succeed somehow. */
+	if (ctx->state == KR_STATE_DONE) {
+		switch (ctx->req->extended_error.info_code) {
+		case KNOT_EDNS_EDE_DNSKEY_ALG:
+		case KNOT_EDNS_EDE_DS_DIGEST:
+		case KNOT_EDNS_EDE_NSEC3_ITERS: ;
+			/* These EDEs are meant to result into _INSECURE success. */
+			const struct kr_query *qry = kr_rplan_resolved(&ctx->req->rplan);
+			if (qry->flags.DNSSEC_INSECURE)
+				break;
 		case KNOT_EDNS_EDE_BOGUS:
 		case KNOT_EDNS_EDE_NSEC_MISS:
 		case KNOT_EDNS_EDE_RRSIG_MISS:
 		case KNOT_EDNS_EDE_SIG_EXPIRED:
+		case KNOT_EDNS_EDE_EXPIRED_INV:
 		case KNOT_EDNS_EDE_SIG_NOTYET:
-			kr_request_set_extended_error(req, KNOT_EDNS_EDE_NONE, NULL);
-			break;
-		case KNOT_EDNS_EDE_DNSKEY_MISS:
 		case KNOT_EDNS_EDE_DNSKEY_BIT:
-			kr_assert(false);  /* These EDE codes aren't used. */
+		case KNOT_EDNS_EDE_DNSKEY_MISS:
+			kr_request_set_extended_error(ctx->req, KNOT_EDNS_EDE_NONE, NULL);
 			break;
 		default: break;  /* Remaining codes don't indicate hard DNSSEC failure. */
 		}
 	}
-	return ret;
+
+	return ctx->state;
 }
 
 
@@ -1385,7 +1445,7 @@ int validate_init(struct kr_module *self)
 {
 	static const kr_layer_api_t layer = {
 		.consume = &validate_wrapper,
-		.answer_finalize = &hide_bogus,
+		.answer_finalize = &validate_finalize,
 	};
 	self->layer = &layer;
 	return kr_ok();
diff --git a/lib/log.h b/lib/log.h
index a3887e57..d3bc9145 100644
--- a/lib/log.h
+++ b/lib/log.h
@@ -109,7 +109,7 @@ enum kr_log_group {
 #define LOG_GRP_VALIDATOR_TAG		"valdtr"	/**< ``valdtr``: operations related to validate layer */
 #define LOG_GRP_RESOLVER_TAG		"resolv"	/**< ``resolv``: operations related to resolving */
 #define LOG_GRP_SELECTION_TAG		"select"	/**< ``select``: operations related to server selection */
-#define LOG_GRP_ZCUT_TAG		"zoncut"	/**< ``zonecut``: operations related to zone cut */
+#define LOG_GRP_ZCUT_TAG		"zoncut"	/**< ``zoncut``: operations related to zone cut */
 #define LOG_GRP_COOKIES_TAG		"cookie"	/**< ``cookie``: operations related to cookies */
 #define LOG_GRP_STATISTICS_TAG		"statis"	/**< ``statis``: operations related to statistics */
 #define LOG_GRP_REBIND_TAG		"rebind"	/**< ``rebind``: operations related to rebinding */
diff --git a/lib/resolve-produce.c b/lib/resolve-produce.c
index 563a2ca2..a3a2401e 100644
--- a/lib/resolve-produce.c
+++ b/lib/resolve-produce.c
@@ -697,6 +697,18 @@ int kr_resolve_produce(struct kr_request *request, struct kr_transport **transpo
 		if (qry->flags.NO_NS_FOUND) {
 			ITERATE_LAYERS(request, qry, reset);
 			kr_rplan_pop(rplan, qry);
+
+			/* Construct EDE message.  We need it on mempool. */
+			char cut_buf[KR_DNAME_STR_MAXLEN];
+			char *msg = knot_dname_to_str(cut_buf, qry->zone_cut.name, sizeof(cut_buf));
+			if (!kr_fails_assert(msg)) {
+				if (*qry->zone_cut.name != '\0') /* Strip trailing dot. */
+					cut_buf[strlen(cut_buf) - 1] = '\0';
+				msg = kr_strcatdup_pool(&request->pool, 2,
+						"P3CD: delegation ", cut_buf);
+			}
+			kr_request_set_extended_error(request, KNOT_EDNS_EDE_NREACH_AUTH, msg);
+
 			return KR_STATE_FAIL;
 		} else {
 			/* FIXME: This is probably quite inefficient:
diff --git a/lib/resolve.c b/lib/resolve.c
index 4730f105..bc00471b 100644
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -738,6 +738,17 @@ int kr_resolve_consume(struct kr_request *request, struct kr_transport **transpo
 					qry->flags.NO_NS_FOUND = true;
 					return KR_STATE_PRODUCE;
 				}
+
+				/* Construct EDE message.  We need it on mempool. */
+				char cut_buf[KR_DNAME_STR_MAXLEN];
+				char *msg = knot_dname_to_str(cut_buf, qry->zone_cut.name, sizeof(cut_buf));
+				if (!kr_fails_assert(msg)) {
+					if (*qry->zone_cut.name != '\0') /* Strip trailing dot. */
+						cut_buf[strlen(cut_buf) - 1] = '\0';
+					msg = kr_strcatdup_pool(&request->pool, 2,
+							"OLX2: delegation ", cut_buf);
+				}
+				kr_request_set_extended_error(request, KNOT_EDNS_EDE_NREACH_AUTH, msg);
 				return KR_STATE_FAIL;
 			}
 		} else {
@@ -972,12 +983,15 @@ knot_mm_t *kr_resolve_pool(struct kr_request *request)
 static int ede_priority(int info_code)
 {
 	switch(info_code) {
+	case KNOT_EDNS_EDE_TOO_EARLY:
+		return 910;
 	case KNOT_EDNS_EDE_DNSKEY_BIT:
 	case KNOT_EDNS_EDE_DNSKEY_MISS:
 	case KNOT_EDNS_EDE_SIG_EXPIRED:
 	case KNOT_EDNS_EDE_SIG_NOTYET:
 	case KNOT_EDNS_EDE_RRSIG_MISS:
 	case KNOT_EDNS_EDE_NSEC_MISS:
+	case KNOT_EDNS_EDE_EXPIRED_INV:
 		return 900;  /* Specific DNSSEC failures */
 	case KNOT_EDNS_EDE_BOGUS:
 		return 800;  /* Generic DNSSEC failure */
@@ -990,6 +1004,7 @@ static int ede_priority(int info_code)
 		return 600;  /* Policy related */
 	case KNOT_EDNS_EDE_DNSKEY_ALG:
 	case KNOT_EDNS_EDE_DS_DIGEST:
+	case KNOT_EDNS_EDE_NSEC3_ITERS:
 		return 500;  /* Non-critical DNSSEC issues */
 	case KNOT_EDNS_EDE_STALE:
 	case KNOT_EDNS_EDE_STALE_NXD:
@@ -1002,10 +1017,12 @@ static int ede_priority(int info_code)
 	case KNOT_EDNS_EDE_NREACH_AUTH:
 	case KNOT_EDNS_EDE_NETWORK:
 	case KNOT_EDNS_EDE_INV_DATA:
+	case KNOT_EDNS_EDE_SYNTHESIZED:
 		return 200;  /* Assorted codes */
 	case KNOT_EDNS_EDE_OTHER:
 		return 100;  /* Most generic catch-all error */
 	case KNOT_EDNS_EDE_NONE:
+	case KNOT_EDNS_EDE_NONCONF_POLICY:  /* Defined by an expired Internet Draft */
 		return 0;  /* No error - allow overriding */
 	default:
 		kr_assert(false);  /* Unknown info_code */
diff --git a/lib/resolve.h b/lib/resolve.h
index 443fef29..cbc20877 100644
--- a/lib/resolve.h
+++ b/lib/resolve.h
@@ -260,6 +260,7 @@ struct kr_request {
 	ranked_rr_array_t add_selected;
 	bool answ_validated; /**< internal to validator; beware of caching, etc. */
 	bool auth_validated; /**< see answ_validated ^^ ; TODO */
+	bool stale_accounted;
 
 	/** Overall rank for the request.
 	 *
diff --git a/lib/rules/api.c b/lib/rules/api.c
index 5ecbe29e..53ebbf7e 100644
--- a/lib/rules/api.c
+++ b/lib/rules/api.c
@@ -46,8 +46,12 @@ static int answer_exact_match(struct kr_query *qry, knot_pkt_t *pkt, uint16_t ty
 		const uint8_t *data, const uint8_t *data_bound);
 static int answer_zla_empty(val_zla_type_t type, struct kr_query *qry, knot_pkt_t *pkt,
 		knot_db_val_t zla_lf, uint32_t ttl);
+static int answer_zla_dname(val_zla_type_t type, struct kr_query *qry, knot_pkt_t *pkt,
+				knot_db_val_t zla_lf, uint32_t ttl, knot_db_val_t *val);
 static int answer_zla_redirect(struct kr_query *qry, knot_pkt_t *pkt, const char *ruleset_name,
 				knot_db_val_t zla_lf, uint32_t ttl);
+static int rule_local_subtree(const knot_dname_t *apex, enum kr_rule_sub_t type,
+			const knot_dname_t *target, uint32_t ttl, kr_rule_tags_t tags);
 
 // LATER: doing tag_names_default() and kr_rule_tag_add() inside a RW transaction would be better.
 static int tag_names_default(void)
@@ -418,25 +422,30 @@ int rule_local_data_answer(struct kr_query *qry, knot_pkt_t *pkt)
 			uint32_t ttl = KR_RULE_TTL_DEFAULT;
 			if (val.len >= sizeof(ttl)) // allow omitting -> can't kr_assert
 				deserialize_fails_assert(&val, &ttl);
-			if (kr_fails_assert(val.len == 0)) {
-				kr_log_error(RULES, "ERROR: unused bytes: %zu\n", val.len);
-				return kr_error(EILSEQ);
-			}
+
 			// Finally execute the rule.
 			switch (ztype) {
 			case KR_RULE_SUB_EMPTY:
 			case KR_RULE_SUB_NXDOMAIN:
 			case KR_RULE_SUB_NODATA:
 				ret = answer_zla_empty(ztype, qry, pkt, zla_lf, ttl);
-				if (ret == kr_error(EAGAIN))
-					goto shorten;
-				return ret ? ret : RET_ANSWERED;
+				break;
 			case KR_RULE_SUB_REDIRECT:
 				ret = answer_zla_redirect(qry, pkt, ruleset_name, zla_lf, ttl);
-				return ret ? kr_error(ret) : RET_ANSWERED;
+				break;
+			case KR_RULE_SUB_DNAME:
+				ret = answer_zla_dname(ztype, qry, pkt, zla_lf, ttl, &val);
+				break;
 			default:
 				return kr_error(EILSEQ);
 			}
+			if (kr_fails_assert(val.len == 0)) {
+				kr_log_error(RULES, "ERROR: unused bytes: %zu\n", val.len);
+				return kr_error(EILSEQ);
+			}
+			if (ret == kr_error(EAGAIN))
+				goto shorten;
+			return ret ? kr_error(ret) : RET_ANSWERED;
 		} while (true);
 	}
 
@@ -570,7 +579,17 @@ int local_data_ins(knot_db_val_t key, const knot_rrset_t *rrs,
 	int ret = ruledb_op(write, &key, &val, 1); // TODO: overwriting on ==tags?
 	// ENOSPC seems to be the only expectable error.
 	kr_assert(ret == 0 || ret == kr_error(ENOSPC));
-	return ret;
+
+	if (ret || rrs->type != KNOT_RRTYPE_DNAME)
+		return ret;
+	// Now we do special handling for DNAMEs
+	//  - we inserted as usual, so that it works with QTYPE == DNAME
+	//  - now we insert a ZLA to handle generating CNAMEs
+	//  - yes, some edge cases won't work as in real DNS zones (e.g. occlusion)
+	if (kr_fails_assert(rrs->rrs.count))
+		return kr_error(EINVAL);
+	return rule_local_subtree(rrs->owner, KR_RULE_SUB_DNAME,
+				knot_dname_target(rrs->rrs.rdata), rrs->ttl, tags);
 }
 int kr_rule_local_data_del(const knot_rrset_t *rrs, kr_rule_tags_t tags)
 {
@@ -697,6 +716,78 @@ static int answer_zla_empty(val_zla_type_t type, struct kr_query *qry, knot_pkt_
 	return kr_ok();
 }
 
+static int answer_zla_dname(val_zla_type_t type, struct kr_query *qry, knot_pkt_t *pkt,
+				const knot_db_val_t zla_lf, uint32_t ttl, knot_db_val_t *val)
+{
+	if (kr_fails_assert(type == KR_RULE_SUB_DNAME))
+		return kr_error(EINVAL);
+	
+	const knot_dname_t *dname_target = val->data;
+	// Theoretically this check could overread the val->len, but that's OK,
+	// as the policy DB contents wouldn't be directly written by a malicious party.
+	// Moreover, an overread shouldn't cause worse than a clean segfault.
+	if (kr_fails_assert(knot_dname_size(dname_target) == val->len))
+		return kr_error(EILSEQ);
+	{ // update *val; avoiding void* arithmetics complicates this
+		char *tmp = val->data;
+		tmp += val->len;
+		val->data = tmp;
+
+		val->len = 0;
+	}
+
+	knot_dname_t apex_name[KNOT_DNAME_MAXLEN];
+	int ret = knot_dname_lf2wire(apex_name, zla_lf.len, zla_lf.data);
+	CHECK_RET(ret);
+
+	const bool hit_apex = knot_dname_is_equal(qry->sname, apex_name);
+	if (hit_apex && type == KR_RULE_SUB_DNAME)
+		return kr_error(EAGAIN); // LATER: maybe a type that matches apex
+
+	// Start constructing the (pseudo-)packet.
+	ret = pkt_renew(pkt, qry->sname, qry->stype);
+	CHECK_RET(ret);
+	struct answer_rrset arrset;
+	memset(&arrset, 0, sizeof(arrset));
+
+	arrset.set.rr = knot_rrset_new(qry->sname, KNOT_RRTYPE_CNAME,
+					KNOT_CLASS_IN, ttl, &pkt->mm);
+	if (kr_fails_assert(arrset.set.rr))
+		return kr_error(ENOMEM);
+	const knot_dname_t *cname_target = knot_dname_replace_suffix(qry->sname,
+			knot_dname_labels(apex_name, NULL), dname_target, &pkt->mm);
+	const int rdata_len = knot_dname_size(cname_target);
+	const bool cname_fits = rdata_len <= KNOT_DNAME_MAXLEN;
+	if (cname_fits) {
+		ret = knot_rrset_add_rdata(arrset.set.rr, cname_target,
+					  knot_dname_size(cname_target), &pkt->mm);
+		CHECK_RET(ret);
+	}
+
+	arrset.set.rank = KR_RANK_SECURE | KR_RANK_AUTH; // local data has high trust
+	arrset.set.expiring = false;
+
+	if (cname_fits) {
+		knot_wire_set_rcode(pkt->wire, KNOT_RCODE_NOERROR);
+		ret = knot_pkt_begin(pkt, KNOT_ANSWER);
+		CHECK_RET(ret);
+
+		// Put links to the RR into the pkt.
+		ret = pkt_append(pkt, &arrset);
+		CHECK_RET(ret);
+	} else {
+		knot_wire_set_rcode(pkt->wire, KNOT_RCODE_YXDOMAIN);
+	}
+
+	// Finishing touches.
+	qry->flags.EXPIRING = false;
+	qry->flags.CACHED = true;
+	qry->flags.NO_MINIMIZE = true;
+
+	VERBOSE_MSG(qry, "=> satisfied by local data (DNAME)\n");
+	return kr_ok();
+}
+
 static int answer_zla_redirect(struct kr_query *qry, knot_pkt_t *pkt, const char *ruleset_name,
 				const knot_db_val_t zla_lf, uint32_t ttl)
 {
@@ -760,6 +851,11 @@ nodata: // Want NODATA answer (or NOERROR if it hits apex SOA).
 	return kr_ok();
 }
 
+int kr_rule_local_subtree(const knot_dname_t *apex, enum kr_rule_sub_t type,
+			  uint32_t ttl, kr_rule_tags_t tags)
+{
+	return rule_local_subtree(apex, type, NULL, ttl, tags);
+}
 knot_db_val_t zla_key(const knot_dname_t *apex, uint8_t key_data[KEY_MAXLEN])
 {
 	kr_require(the_rules);
@@ -775,11 +871,16 @@ knot_db_val_t zla_key(const knot_dname_t *apex, uint8_t key_data[KEY_MAXLEN])
 	key.len = key_data + KEY_DNAME_END_OFFSET - (uint8_t *)key.data;
 	return key;
 }
-int kr_rule_local_subtree(const knot_dname_t *apex, enum kr_rule_sub_t type,
-			  uint32_t ttl, kr_rule_tags_t tags)
+static int rule_local_subtree(const knot_dname_t *apex, enum kr_rule_sub_t type,
+			const knot_dname_t *target, uint32_t ttl, kr_rule_tags_t tags)
 {
 	// type-check
+	const bool has_target = (type == KR_RULE_SUB_DNAME);
 	switch (type) {
+	case KR_RULE_SUB_DNAME:
+		if (kr_fails_assert(!!target == has_target))
+			return kr_error(EINVAL);
+		break;
 	case KR_RULE_SUB_EMPTY:
 	case KR_RULE_SUB_NXDOMAIN:
 	case KR_RULE_SUB_NODATA:
@@ -797,8 +898,10 @@ int kr_rule_local_subtree(const knot_dname_t *apex, enum kr_rule_sub_t type,
 	knot_db_val_t key = zla_key(apex, key_data);
 
 	// Prepare the data into a temporary buffer.
-	const bool has_ttl = ttl != KR_RULE_TTL_DEFAULT;
-	const int val_len = sizeof(tags) + sizeof(ztype) + (has_ttl ? sizeof(ttl) : 0);
+	const int target_len = has_target ? knot_dname_size(target) : 0;
+	const bool has_ttl = ttl != KR_RULE_TTL_DEFAULT || has_target;
+	const int val_len = sizeof(tags) + sizeof(ztype) + (has_ttl ? sizeof(ttl) : 0)
+			  + target_len;
 	uint8_t buf[val_len], *data = buf;
 	memcpy(data, &tags, sizeof(tags));
 	data += sizeof(tags);
@@ -808,6 +911,10 @@ int kr_rule_local_subtree(const knot_dname_t *apex, enum kr_rule_sub_t type,
 		memcpy(data, &ttl, sizeof(ttl));
 		data += sizeof(ttl);
 	}
+	if (has_target) {
+		memcpy(data, target, target_len);
+		data += target_len;
+	}
 	kr_require(data == buf + val_len);
 
 	knot_db_val_t val = { .data = buf, .len = val_len };
diff --git a/lib/rules/api.h b/lib/rules/api.h
index f1737a19..c7d1dd29 100644
--- a/lib/rules/api.h
+++ b/lib/rules/api.h
@@ -156,11 +156,14 @@ enum kr_rule_sub_t {
 	KR_RULE_SUB_NODATA,
 	/// Redirect: anything beneath has the same data as apex (except NS+SOA).
 	KR_RULE_SUB_REDIRECT,
+	/// Act similar to DNAME: rebase everything underneath by generated CNAMEs.
+	KR_RULE_SUB_DNAME,
 };
 /** Insert a simple sub-tree rule.
  *
  * - into the default rule-set
  * - SOA and NS for generated answers aren't overridable.
+ * - type: you can't use _DNAME via this function; insert it by kr_rule_local_data_ins()
  */
 KR_EXPORT
 int kr_rule_local_subtree(const knot_dname_t *apex, enum kr_rule_sub_t type,
diff --git a/lib/rules/zonefile.c b/lib/rules/zonefile.c
index d308f375..773ca937 100644
--- a/lib/rules/zonefile.c
+++ b/lib/rules/zonefile.c
@@ -47,8 +47,10 @@ static void rr_scan2trie(zs_scanner_t *s)
 			rr->ttl = s->r_ttl; // we could also warn here
 	} else {
 		rr = *rr_p = mm_alloc(s_data->pool, sizeof(*rr));
-		knot_rrset_init(rr, NULL, s->r_type, KNOT_CLASS_IN, s->r_ttl);
-			// we don't ^^ need owner so save allocation
+		knot_dname_t *owner = NULL; // we only utilize owner for DNAMEs
+		if (s->r_type == KNOT_RRTYPE_DNAME) // Nit: copy could be done a bit faster
+			owner = knot_dname_copy(s->r_owner, s_data->pool);
+		knot_rrset_init(rr, owner, s->r_type, KNOT_CLASS_IN, s->r_ttl);
 	}
 	int ret = knot_rrset_add_rdata(rr, s->r_data, s->r_data_length, s_data->pool);
 	kr_assert(!ret);
diff --git a/lib/utils.c b/lib/utils.c
index de7c02cb..3af2fd04 100644
--- a/lib/utils.c
+++ b/lib/utils.c
@@ -107,7 +107,7 @@ static inline int u16tostr(uint8_t *dst, uint16_t num)
 	return 5;
 }
 
-char* kr_strcatdup(unsigned n, ...)
+char* kr_strcatdup_pool(knot_mm_t *pool, unsigned n, ...)
 {
 	if (n < 1) {
 		return NULL;
@@ -132,7 +132,7 @@ char* kr_strcatdup(unsigned n, ...)
 	char *result = NULL;
 	if (total_len > 0) {
 		if (unlikely(total_len == SIZE_MAX)) return NULL;
-		result = malloc(total_len + 1);
+		result = mm_alloc(pool, total_len + 1);
 	}
 	if (result) {
 		char *stream = result;
diff --git a/lib/utils.h b/lib/utils.h
index 9fdc2d48..8c1ef8c1 100644
--- a/lib/utils.h
+++ b/lib/utils.h
@@ -170,9 +170,11 @@ typedef struct kr_http_header_array_entry {
 /** Array of HTTP headers for DoH. */
 typedef array_t(kr_http_header_array_entry_t) kr_http_header_array_t;
 
-/** Concatenate N strings. */
+/** Concatenate N strings and put the result into a mempool. */
 KR_EXPORT
-char* kr_strcatdup(unsigned n, ...);
+char* kr_strcatdup_pool(knot_mm_t *pool, unsigned n, ...);
+/** Concatenate N strings. */
+#define kr_strcatdup(n, ...) kr_strcatdup_pool(NULL, n, ## __VA_ARGS__)
 
 /** Construct absolute file path, without resolving symlinks.
  * \return malloc-ed string or NULL (+errno in that case) */