Fix dnssec validation of direct CNAME queries

Thanks Simson L. Garfinkel.
2015-09-08 10:52:04 +02:00 · 2015-09-08 10:52:04 +02:00 · 46ea366f5f
parent 560f168460
commit 46ea366f5f
2 changed files with 12 additions and 1 deletions
--- a/4
+++ b/4
@ -1,6 +1,8 @@
 * 2015-09-??: Version 0.3.3
  * Fix clearing upstream events on shutdown
-	
+  * Fix dnssec validation of direct CNAME queries.
+    Thanks Simson L. Garfinkel.
+
 * 2015-09-04: Version 0.3.2
  * Fix returned upstreams list by getdns_context_get_api_information()
  * Fix some autoconf issues when srcdir != builddir
--- a/src/dnssec.c
+++ b/src/dnssec.c
@ -1065,8 +1065,17 @@ static void add_question2val_chain(struct mem_funcs *mf,
 		q_rrset.name = _getdns_rdf_if_or_as_decompressed(
 				rdf, cname_spc, &cname_len);
 	}
+
+	/* If the qtype was a CNAME, and we got one, we'r done.
+	 * We asked for it directly, so no redirection applies.
+	 * Otherwise we have to check the refered to name/qtype.
+	 */
+	if (qtype == GETDNS_RRTYPE_CNAME && q_rrset.name != qname)
+		return;
+
 	q_rrset.rr_type  = qtype;
 	if (!(rr = rrtype_iter_init(&rr_spc, &q_rrset))) {
+
 		/* No answer for the question.  Add a head for this rrset
 		 * anyway, to validate proof of non-existance, or to find
 		 * proof that the packet is insecure.