[packages/unbound.git] / unbound-bug-3512.patch

diff --git a/iterator/iterator.c b/iterator/iterator.c
index 7f3c6573..33fb02dd 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -1157,6 +1157,13 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 	if(iq->query_restart_count > MAX_RESTART_COUNT) {
 		verbose(VERB_QUERY, "request has exceeded the maximum number"
 			" of query restarts with %d", iq->query_restart_count);
+		if(iq->response) {
+			/* return the partial CNAME loop, i.e. with the
+			 * actual packet in iq->response cleared of RRsets,
+			 * the stored prepend RRsets contain the loop contents
+			 * with duplicates removed */
+			return next_state(iq, FINISHED_STATE);
+		}
 		return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
 	}
 
@@ -1246,6 +1253,11 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 			iq->qchase.qname_len = slen;
 			/* This *is* a query restart, even if it is a cheap 
 			 * one. */
+			msg->rep->an_numrrsets = 0;
+			msg->rep->ns_numrrsets = 0;
+			msg->rep->ar_numrrsets = 0;
+			msg->rep->rrset_count = 0;
+			iq->response = msg;
 			iq->dp = NULL;
 			iq->refetch_glue = 0;
 			iq->query_restart_count++;
@@ -2739,6 +2751,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		if (qstate->env->cfg->qname_minimisation)
 			iq->minimisation_state = INIT_MINIMISE_STATE;
 		/* Clear the query state, since this is a query restart. */
+		iq->response->rep->an_numrrsets = 0;
+		iq->response->rep->ns_numrrsets = 0;
+		iq->response->rep->ar_numrrsets = 0;
+		iq->response->rep->rrset_count = 0;
 		iq->deleg_msg = NULL;
 		iq->dp = NULL;
 		iq->dsns_point = NULL;
diff --git a/testdata/iter_dname_insec.rpl b/testdata/iter_dname_insec.rpl
index 8f4a29c7..1ce8c2cb 100644
--- a/testdata/iter_dname_insec.rpl
+++ b/testdata/iter_dname_insec.rpl
@@ -776,12 +776,18 @@ ENTRY_END
 
 ; Expected result is defined by RFC 1034 section 3.6.2:
 ; CNAME chains should be followed and CNAME loops signalled as an error
+; but bug#3512: return partial contents with NOERROR.
 STEP 221002 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA DO SERVFAIL
+REPLY QR RD RA DO NOERROR
 SECTION QUESTION
 cyc2.example.com. IN A
+SECTION ANSWER
+example.com.	0	IN	DNAME	cyc2.example.net.
+cyc2.example.com.	0	IN	CNAME	cyc2.cyc2.example.net.
+cyc2.example.net.	0	IN	DNAME	example.com.
+cyc2.cyc2.example.net.	0	IN	CNAME	cyc2.example.com.
 ENTRY_END
 
 ; ns1.example.com.
diff --git a/testdata/val_cname_loop1.rpl b/testdata/val_cname_loop1.rpl
index 61fcdb70..b942cb26 100644
--- a/testdata/val_cname_loop1.rpl
+++ b/testdata/val_cname_loop1.rpl
@@ -5,6 +5,7 @@ server:
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	fake-sha1: yes
+	trust-anchor-signaling: no
 
 stub-zone:
 	name: "."
@@ -86,6 +87,17 @@ ns.example.com.         IN      A       1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION AUTHORITY
+ns.example.com. IN NSEC www.example.com. A RRSIG NSEC
+ns.example.com.	3600	IN	RRSIG	NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AE+zfHodyVCTnni/bur8IiUhTUtdac6ip/znrYYN0l1nqll1fon2+kQ=
+ENTRY_END
+
 ; response to DNSKEY priming query
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -104,6 +116,18 @@ ns.example.com.		IN 	A	1.2.3.4
 ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ENTRY_END
 
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN DS
+SECTION AUTHORITY
+www.example.com. IN NSEC z.example.com. CNAME RRSIG NSEC
+www.example.com.	3600	IN	RRSIG	NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AJ8hqdeoKtvR094y+0KjO6LkCe1SCs6z5YhuY2YZCmzvUiYHP9wiMTw=
+ENTRY_END
+
 ; response to query of interest
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -134,10 +158,12 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA DO SERVFAIL
+REPLY QR RD RA DO AD NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
+www.example.com.        3600    IN      CNAME   www.example.com.
+www.example.com.        3600    IN      RRSIG   CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854}
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
diff --git a/testdata/val_cname_loop2.rpl b/testdata/val_cname_loop2.rpl
index 26644bc1..d42bbd2c 100644
--- a/testdata/val_cname_loop2.rpl
+++ b/testdata/val_cname_loop2.rpl
@@ -5,6 +5,7 @@ server:
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	fake-sha1: yes
+	trust-anchor-signaling: no
 
 stub-zone:
 	name: "."
@@ -113,7 +114,7 @@ SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
 www.example.com. IN	CNAME	foo.example.com.
-www.example.com.        3600    IN      RRSIG   CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854}
+www.example.com.	3600	IN	RRSIG	CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg=
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
@@ -126,7 +127,7 @@ SECTION QUESTION
 foo.example.com. IN A
 SECTION ANSWER
 foo.example.com. IN	CNAME	www.example.com.
-foo.example.com.        3600    IN      RRSIG   CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC7kcWPsMnGbjvzj5UNnxQzM0YvnAhUAgxIKgs1huJHvcAP2Xt3p8Adpy/c= ;{id = 2854}
+foo.example.com.	3600	IN	RRSIG	CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AEEIVUwbtfcn2RP41l0PDO+Sk4YdJ0HyRVsgq20fJnrDDC6eFXFGqUg=
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
@@ -143,10 +144,14 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA DO SERVFAIL
+REPLY QR RD RA DO AD NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
+www.example.com.        3600    IN      CNAME   foo.example.com.
+www.example.com.        3600    IN      RRSIG   CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg= ;{id = 2854}
+foo.example.com.        3600    IN      CNAME   www.example.com.
+foo.example.com.        3600    IN      RRSIG   CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AEEIVUwbtfcn2RP41l0PDO+Sk4YdJ0HyRVsgq20fJnrDDC6eFXFGqUg= ;{id = 2854}
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
diff --git a/testdata/val_cname_loop3.rpl b/testdata/val_cname_loop3.rpl
index fbd0d8ab..30e6abfb 100644
--- a/testdata/val_cname_loop3.rpl
+++ b/testdata/val_cname_loop3.rpl
@@ -5,6 +5,7 @@ server:
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
 	fake-sha1: yes
+	trust-anchor-signaling: no
 
 stub-zone:
 	name: "."
@@ -113,7 +114,7 @@ SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
 www.example.com. IN	CNAME	foo.example.com.
-www.example.com.        3600    IN      RRSIG   CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854}
+www.example.com.	3600	IN	RRSIG	CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg=
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
@@ -126,7 +127,7 @@ SECTION QUESTION
 foo.example.com. IN A
 SECTION ANSWER
 foo.example.com. IN	CNAME	bar.example.com.
-foo.example.com.        3600    IN      RRSIG   CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFFMlXuWrNL/8aYOl9U9WYjgif8gAAhUAqsC/xOXakHP1SYxMSLANziOik94= ;{id = 2854}
+foo.example.com.	3600	IN	RRSIG	CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AILRq+NAK+k+qCNJAmByoTAkGNveSHT+au0u360OeUa56b8zU7gi6+I=
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
@@ -139,7 +140,7 @@ SECTION QUESTION
 bar.example.com. IN A
 SECTION ANSWER
 bar.example.com. IN	CNAME	www.example.com.
-bar.example.com.        3600    IN      RRSIG   CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFAsalUJJSV86uPlfiGS3kKDc0JB7AhQ+qmHqagY/r36Re/J3Q1OfvcA1dA== ;{id = 2854}
+bar.example.com.	3600	IN	RRSIG	CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AKA7eO4DAGPB8vg/OdBLk41/2txpklOJrszT8Gvp+UOVSLYtddNGz+k=
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
@@ -156,10 +157,13 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA SERVFAIL
+REPLY QR RD RA NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
+www.example.com.        3600    IN      CNAME   foo.example.com.
+foo.example.com.        3600    IN      CNAME   bar.example.com.
+bar.example.com.        3600    IN      CNAME   www.example.com.
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
diff --git a/validator/validator.c b/validator/validator.c
index a924a3f8..81d67cd3 100644
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -1529,6 +1529,22 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
 		if(verbosity >= VERB_ALGO)
 			log_dns_msg("chased extract", &vq->qchase, 
 				vq->chase_reply);
+		/* we skipped cnames, and now the reply is empty, is this
+		 * a CNAME loop? */
+		if(vq->rrset_skip > 0 && vq->chase_reply->rrset_count == 0) {
+			if(reply_find_rrset_section_an(vq->orig_msg->rep,
+				lookup_name, lookup_len, LDNS_RR_TYPE_CNAME,
+				vq->qchase.qclass)) {
+				if(anchor) {
+					lock_basic_unlock(&anchor->lock);
+				}
+				verbose(VERB_ALGO, "validator: encountered "
+					"CNAME loop - terminating");
+				vq->chase_reply->security = vq->orig_msg->rep->security;
+				vq->state = VAL_FINISHED_STATE;
+				return 1;
+			}
+		}
 	}
 
 	vq->key_entry = key_cache_obtain(ve->kcache, lookup_name, lookup_len,
Commit	Line	Data
e30ec7d4	1	diff --git a/iterator/iterator.c b/iterator/iterator.c
d970dbd1	2	index 7f3c6573..33fb02dd 100644
e30ec7d4 AM	3	--- a/iterator/iterator.c
	4	+++ b/iterator/iterator.c
	5	@@ -1157,6 +1157,13 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
	6	if(iq->query_restart_count > MAX_RESTART_COUNT) {
	7	verbose(VERB_QUERY, "request has exceeded the maximum number"
	8	" of query restarts with %d", iq->query_restart_count);
	9	+ if(iq->response) {
	10	+ /* return the partial CNAME loop, i.e. with the
	11	+ * actual packet in iq->response cleared of RRsets,
	12	+ * the stored prepend RRsets contain the loop contents
	13	+ * with duplicates removed */
	14	+ return next_state(iq, FINISHED_STATE);
	15	+ }
	16	return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
	17	}
	18
d970dbd1	19	@@ -1246,6 +1253,11 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
e30ec7d4 AM	20	iq->qchase.qname_len = slen;
	21	/* This is a query restart, even if it is a cheap
	22	* one. */
	23	+ msg->rep->an_numrrsets = 0;
	24	+ msg->rep->ns_numrrsets = 0;
	25	+ msg->rep->ar_numrrsets = 0;
	26	+ msg->rep->rrset_count = 0;
d970dbd1	27	+ iq->response = msg;
e30ec7d4 AM	28	iq->dp = NULL;
	29	iq->refetch_glue = 0;
	30	iq->query_restart_count++;
d970dbd1	31	@@ -2739,6 +2751,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
e30ec7d4 AM	32	if (qstate->env->cfg->qname_minimisation)
	33	iq->minimisation_state = INIT_MINIMISE_STATE;
	34	/* Clear the query state, since this is a query restart. */
	35	+ iq->response->rep->an_numrrsets = 0;
	36	+ iq->response->rep->ns_numrrsets = 0;
	37	+ iq->response->rep->ar_numrrsets = 0;
	38	+ iq->response->rep->rrset_count = 0;
	39	iq->deleg_msg = NULL;
	40	iq->dp = NULL;
	41	iq->dsns_point = NULL;
d970dbd1 AM	42	diff --git a/testdata/iter_dname_insec.rpl b/testdata/iter_dname_insec.rpl
	43	index 8f4a29c7..1ce8c2cb 100644
	44	--- a/testdata/iter_dname_insec.rpl
	45	+++ b/testdata/iter_dname_insec.rpl
	46	@@ -776,12 +776,18 @@ ENTRY_END
	47
	48	; Expected result is defined by RFC 1034 section 3.6.2:
	49	; CNAME chains should be followed and CNAME loops signalled as an error
	50	+; but bug#3512: return partial contents with NOERROR.
	51	STEP 221002 CHECK_ANSWER
	52	ENTRY_BEGIN
	53	MATCH all
	54	-REPLY QR RD RA DO SERVFAIL
	55	+REPLY QR RD RA DO NOERROR
	56	SECTION QUESTION
	57	cyc2.example.com. IN A
	58	+SECTION ANSWER
	59	+example.com. 0 IN DNAME cyc2.example.net.
	60	+cyc2.example.com. 0 IN CNAME cyc2.cyc2.example.net.
	61	+cyc2.example.net. 0 IN DNAME example.com.
	62	+cyc2.cyc2.example.net. 0 IN CNAME cyc2.example.com.
	63	ENTRY_END
	64
	65	; ns1.example.com.
	66	diff --git a/testdata/val_cname_loop1.rpl b/testdata/val_cname_loop1.rpl
	67	index 61fcdb70..b942cb26 100644
	68	--- a/testdata/val_cname_loop1.rpl
	69	+++ b/testdata/val_cname_loop1.rpl
	70	@@ -5,6 +5,7 @@ server:
	71	val-override-date: "20070916134226"
	72	target-fetch-policy: "0 0 0 0 0"
	73	fake-sha1: yes
	74	+ trust-anchor-signaling: no
	75
	76	stub-zone:
	77	name: "."
	78	@@ -86,6 +87,17 @@ ns.example.com. IN A 1.2.3.4
	79	ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
	80	ENTRY_END
	81
	82	+ENTRY_BEGIN
	83	+MATCH opcode qtype qname
	84	+ADJUST copy_id
	85	+REPLY QR NOERROR
	86	+SECTION QUESTION
	87	+ns.example.com. IN AAAA
	88	+SECTION AUTHORITY
	89	+ns.example.com. IN NSEC www.example.com. A RRSIG NSEC
	90	+ns.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AE+zfHodyVCTnni/bur8IiUhTUtdac6ip/znrYYN0l1nqll1fon2+kQ=
	91	+ENTRY_END
	92	+
	93	; response to DNSKEY priming query
	94	ENTRY_BEGIN
	95	MATCH opcode qtype qname
	96	@@ -104,6 +116,18 @@ ns.example.com. IN A 1.2.3.4
	97	ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
	98	ENTRY_END
	99
	100	+; response to DNSKEY priming query
	101	+ENTRY_BEGIN
	102	+MATCH opcode qtype qname
	103	+ADJUST copy_id
	104	+REPLY QR NOERROR
	105	+SECTION QUESTION
106	+www.example.com. IN DS
107	+SECTION AUTHORITY
108	+www.example.com. IN NSEC z.example.com. CNAME RRSIG NSEC
109	+www.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AJ8hqdeoKtvR094y+0KjO6LkCe1SCs6z5YhuY2YZCmzvUiYHP9wiMTw=
110	+ENTRY_END
111	+
112	; response to query of interest
113	ENTRY_BEGIN
114	MATCH opcode qtype qname
115	@@ -134,10 +158,12 @@ ENTRY_END
116	STEP 10 CHECK_ANSWER
117	ENTRY_BEGIN
118	MATCH all
119	-REPLY QR RD RA DO SERVFAIL
120	+REPLY QR RD RA DO AD NOERROR
121	SECTION QUESTION
122	www.example.com. IN A
123	SECTION ANSWER
124	+www.example.com. 3600 IN CNAME www.example.com.
125	+www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854}
126	SECTION AUTHORITY
127	SECTION ADDITIONAL
128	ENTRY_END
129	diff --git a/testdata/val_cname_loop2.rpl b/testdata/val_cname_loop2.rpl
130	index 26644bc1..d42bbd2c 100644
131	--- a/testdata/val_cname_loop2.rpl
132	+++ b/testdata/val_cname_loop2.rpl
133	@@ -5,6 +5,7 @@ server:
134	val-override-date: "20070916134226"
135	target-fetch-policy: "0 0 0 0 0"
136	fake-sha1: yes
137	+ trust-anchor-signaling: no
138
139	stub-zone:
140	name: "."
141	@@ -113,7 +114,7 @@ SECTION QUESTION
142	www.example.com. IN A
143	SECTION ANSWER
144	www.example.com. IN CNAME foo.example.com.
145	-www.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854}
146	+www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg=
147	SECTION AUTHORITY
148	SECTION ADDITIONAL
149	ENTRY_END
150	@@ -126,7 +127,7 @@ SECTION QUESTION
151	foo.example.com. IN A
152	SECTION ANSWER
153	foo.example.com. IN CNAME www.example.com.
154	-foo.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC7kcWPsMnGbjvzj5UNnxQzM0YvnAhUAgxIKgs1huJHvcAP2Xt3p8Adpy/c= ;{id = 2854}
155	+foo.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AEEIVUwbtfcn2RP41l0PDO+Sk4YdJ0HyRVsgq20fJnrDDC6eFXFGqUg=
156	SECTION AUTHORITY
157	SECTION ADDITIONAL
158	ENTRY_END
159	@@ -143,10 +144,14 @@ ENTRY_END
160	STEP 10 CHECK_ANSWER
161	ENTRY_BEGIN
162	MATCH all
163	-REPLY QR RD RA DO SERVFAIL
164	+REPLY QR RD RA DO AD NOERROR
165	SECTION QUESTION
166	www.example.com. IN A
167	SECTION ANSWER
168	+www.example.com. 3600 IN CNAME foo.example.com.
169	+www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg= ;{id = 2854}
170	+foo.example.com. 3600 IN CNAME www.example.com.
171	+foo.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AEEIVUwbtfcn2RP41l0PDO+Sk4YdJ0HyRVsgq20fJnrDDC6eFXFGqUg= ;{id = 2854}
172	SECTION AUTHORITY
173	SECTION ADDITIONAL
174	ENTRY_END
175	diff --git a/testdata/val_cname_loop3.rpl b/testdata/val_cname_loop3.rpl
176	index fbd0d8ab..30e6abfb 100644
177	--- a/testdata/val_cname_loop3.rpl
178	+++ b/testdata/val_cname_loop3.rpl
179	@@ -5,6 +5,7 @@ server:
180	val-override-date: "20070916134226"
181	target-fetch-policy: "0 0 0 0 0"
182	fake-sha1: yes
183	+ trust-anchor-signaling: no
184
185	stub-zone:
186	name: "."
187	@@ -113,7 +114,7 @@ SECTION QUESTION
188	www.example.com. IN A
189	SECTION ANSWER
190	www.example.com. IN CNAME foo.example.com.
191	-www.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854}
192	+www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg=
193	SECTION AUTHORITY
194	SECTION ADDITIONAL
195	ENTRY_END
196	@@ -126,7 +127,7 @@ SECTION QUESTION
197	foo.example.com. IN A
198	SECTION ANSWER
199	foo.example.com. IN CNAME bar.example.com.
200	-foo.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFFMlXuWrNL/8aYOl9U9WYjgif8gAAhUAqsC/xOXakHP1SYxMSLANziOik94= ;{id = 2854}
201	+foo.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AILRq+NAK+k+qCNJAmByoTAkGNveSHT+au0u360OeUa56b8zU7gi6+I=
202	SECTION AUTHORITY
203	SECTION ADDITIONAL
204	ENTRY_END
205	@@ -139,7 +140,7 @@ SECTION QUESTION
206	bar.example.com. IN A
207	SECTION ANSWER
208	bar.example.com. IN CNAME www.example.com.
209	-bar.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFAsalUJJSV86uPlfiGS3kKDc0JB7AhQ+qmHqagY/r36Re/J3Q1OfvcA1dA== ;{id = 2854}
210	+bar.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AKA7eO4DAGPB8vg/OdBLk41/2txpklOJrszT8Gvp+UOVSLYtddNGz+k=
211	SECTION AUTHORITY
212	SECTION ADDITIONAL
213	ENTRY_END
214	@@ -156,10 +157,13 @@ ENTRY_END
215	STEP 10 CHECK_ANSWER
216	ENTRY_BEGIN
217	MATCH all
218	-REPLY QR RD RA SERVFAIL
219	+REPLY QR RD RA NOERROR
220	SECTION QUESTION
221	www.example.com. IN A
222	SECTION ANSWER
223	+www.example.com. 3600 IN CNAME foo.example.com.
224	+foo.example.com. 3600 IN CNAME bar.example.com.
225	+bar.example.com. 3600 IN CNAME www.example.com.
226	SECTION AUTHORITY
227	SECTION ADDITIONAL
228	ENTRY_END
229	diff --git a/validator/validator.c b/validator/validator.c
230	index a924a3f8..81d67cd3 100644
231	--- a/validator/validator.c
232	+++ b/validator/validator.c
233	@@ -1529,6 +1529,22 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
234	if(verbosity >= VERB_ALGO)
235	log_dns_msg("chased extract", &vq->qchase,
236	vq->chase_reply);
237	+ /* we skipped cnames, and now the reply is empty, is this
238	+ * a CNAME loop? */
239	+ if(vq->rrset_skip > 0 && vq->chase_reply->rrset_count == 0) {
240	+ if(reply_find_rrset_section_an(vq->orig_msg->rep,
241	+ lookup_name, lookup_len, LDNS_RR_TYPE_CNAME,
242	+ vq->qchase.qclass)) {
243	+ if(anchor) {
244	+ lock_basic_unlock(&anchor->lock);
245	+ }
246	+ verbose(VERB_ALGO, "validator: encountered "
247	+ "CNAME loop - terminating");
248	+ vq->chase_reply->security = vq->orig_msg->rep->security;
249	+ vq->state = VAL_FINISHED_STATE;
250	+ return 1;
251	+ }
252	+ }
253	}
254
255	vq->key_entry = key_cache_obtain(ve->kcache, lookup_name, lookup_len,