From 46ea366f5f50731365f87192b871b6316577ba9f Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 8 Sep 2015 10:52:04 +0200
Subject: [PATCH] Fix dnssec validation of direct CNAME queries

Thanks Simson L. Garfinkel.
---
 ChangeLog    | 4 +++-
 src/dnssec.c | 9 +++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 534d149a..8f7da390 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,8 @@
 * 2015-09-??: Version 0.3.3
   * Fix clearing upstream events on shutdown
-	
+  * Fix dnssec validation of direct CNAME queries.
+    Thanks Simson L. Garfinkel.
+
 * 2015-09-04: Version 0.3.2
   * Fix returned upstreams list by getdns_context_get_api_information()
   * Fix some autoconf issues when srcdir != builddir
diff --git a/src/dnssec.c b/src/dnssec.c
index f72f3066..967e1aec 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1065,8 +1065,17 @@ static void add_question2val_chain(struct mem_funcs *mf,
 		q_rrset.name = _getdns_rdf_if_or_as_decompressed(
 				rdf, cname_spc, &cname_len);
 	}
+
+	/* If the qtype was a CNAME, and we got one, we'r done.
+	 * We asked for it directly, so no redirection applies.
+	 * Otherwise we have to check the refered to name/qtype.
+	 */
+	if (qtype == GETDNS_RRTYPE_CNAME && q_rrset.name != qname)
+		return;
+
 	q_rrset.rr_type  = qtype;
 	if (!(rr = rrtype_iter_init(&rr_spc, &q_rrset))) {
+
 		/* No answer for the question.  Add a head for this rrset
 		 * anyway, to validate proof of non-existance, or to find
 		 * proof that the packet is insecure.