1 diff --git a/iterator/iterator.c b/iterator/iterator.c
2 index 7f3c6573..33fb02dd 100644
3 --- a/iterator/iterator.c
4 +++ b/iterator/iterator.c
5 @@ -1157,6 +1157,13 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
6 if(iq->query_restart_count > MAX_RESTART_COUNT) {
7 verbose(VERB_QUERY, "request has exceeded the maximum number"
8 " of query restarts with %d", iq->query_restart_count);
10 + /* return the partial CNAME loop, i.e. with the
11 + * actual packet in iq->response cleared of RRsets,
12 + * the stored prepend RRsets contain the loop contents
13 + * with duplicates removed */
14 + return next_state(iq, FINISHED_STATE);
16 return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
19 @@ -1246,6 +1253,11 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
20 iq->qchase.qname_len = slen;
21 /* This *is* a query restart, even if it is a cheap
23 + msg->rep->an_numrrsets = 0;
24 + msg->rep->ns_numrrsets = 0;
25 + msg->rep->ar_numrrsets = 0;
26 + msg->rep->rrset_count = 0;
30 iq->query_restart_count++;
31 @@ -2739,6 +2751,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
32 if (qstate->env->cfg->qname_minimisation)
33 iq->minimisation_state = INIT_MINIMISE_STATE;
34 /* Clear the query state, since this is a query restart. */
35 + iq->response->rep->an_numrrsets = 0;
36 + iq->response->rep->ns_numrrsets = 0;
37 + iq->response->rep->ar_numrrsets = 0;
38 + iq->response->rep->rrset_count = 0;
41 iq->dsns_point = NULL;
42 diff --git a/testdata/iter_dname_insec.rpl b/testdata/iter_dname_insec.rpl
43 index 8f4a29c7..1ce8c2cb 100644
44 --- a/testdata/iter_dname_insec.rpl
45 +++ b/testdata/iter_dname_insec.rpl
46 @@ -776,12 +776,18 @@ ENTRY_END
48 ; Expected result is defined by RFC 1034 section 3.6.2:
49 ; CNAME chains should be followed and CNAME loops signalled as an error
50 +; but bug#3512: return partial contents with NOERROR.
51 STEP 221002 CHECK_ANSWER
54 -REPLY QR RD RA DO SERVFAIL
55 +REPLY QR RD RA DO NOERROR
57 cyc2.example.com. IN A
59 +example.com. 0 IN DNAME cyc2.example.net.
60 +cyc2.example.com. 0 IN CNAME cyc2.cyc2.example.net.
61 +cyc2.example.net. 0 IN DNAME example.com.
62 +cyc2.cyc2.example.net. 0 IN CNAME cyc2.example.com.
66 diff --git a/testdata/val_cname_loop1.rpl b/testdata/val_cname_loop1.rpl
67 index 61fcdb70..b942cb26 100644
68 --- a/testdata/val_cname_loop1.rpl
69 +++ b/testdata/val_cname_loop1.rpl
70 @@ -5,6 +5,7 @@ server:
71 val-override-date: "20070916134226"
72 target-fetch-policy: "0 0 0 0 0"
74 + trust-anchor-signaling: no
78 @@ -86,6 +87,17 @@ ns.example.com. IN A 1.2.3.4
79 ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
83 +MATCH opcode qtype qname
87 +ns.example.com. IN AAAA
89 +ns.example.com. IN NSEC www.example.com. A RRSIG NSEC
90 +ns.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AE+zfHodyVCTnni/bur8IiUhTUtdac6ip/znrYYN0l1nqll1fon2+kQ=
93 ; response to DNSKEY priming query
95 MATCH opcode qtype qname
96 @@ -104,6 +116,18 @@ ns.example.com. IN A 1.2.3.4
97 ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
100 +; response to DNSKEY priming query
102 +MATCH opcode qtype qname
106 +www.example.com. IN DS
108 +www.example.com. IN NSEC z.example.com. CNAME RRSIG NSEC
109 +www.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AJ8hqdeoKtvR094y+0KjO6LkCe1SCs6z5YhuY2YZCmzvUiYHP9wiMTw=
112 ; response to query of interest
114 MATCH opcode qtype qname
115 @@ -134,10 +158,12 @@ ENTRY_END
119 -REPLY QR RD RA DO SERVFAIL
120 +REPLY QR RD RA DO AD NOERROR
122 www.example.com. IN A
124 +www.example.com. 3600 IN CNAME www.example.com.
125 +www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854}
129 diff --git a/testdata/val_cname_loop2.rpl b/testdata/val_cname_loop2.rpl
130 index 26644bc1..d42bbd2c 100644
131 --- a/testdata/val_cname_loop2.rpl
132 +++ b/testdata/val_cname_loop2.rpl
133 @@ -5,6 +5,7 @@ server:
134 val-override-date: "20070916134226"
135 target-fetch-policy: "0 0 0 0 0"
137 + trust-anchor-signaling: no
141 @@ -113,7 +114,7 @@ SECTION QUESTION
142 www.example.com. IN A
144 www.example.com. IN CNAME foo.example.com.
145 -www.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854}
146 +www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg=
150 @@ -126,7 +127,7 @@ SECTION QUESTION
151 foo.example.com. IN A
153 foo.example.com. IN CNAME www.example.com.
154 -foo.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC7kcWPsMnGbjvzj5UNnxQzM0YvnAhUAgxIKgs1huJHvcAP2Xt3p8Adpy/c= ;{id = 2854}
155 +foo.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AEEIVUwbtfcn2RP41l0PDO+Sk4YdJ0HyRVsgq20fJnrDDC6eFXFGqUg=
159 @@ -143,10 +144,14 @@ ENTRY_END
163 -REPLY QR RD RA DO SERVFAIL
164 +REPLY QR RD RA DO AD NOERROR
166 www.example.com. IN A
168 +www.example.com. 3600 IN CNAME foo.example.com.
169 +www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg= ;{id = 2854}
170 +foo.example.com. 3600 IN CNAME www.example.com.
171 +foo.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AEEIVUwbtfcn2RP41l0PDO+Sk4YdJ0HyRVsgq20fJnrDDC6eFXFGqUg= ;{id = 2854}
175 diff --git a/testdata/val_cname_loop3.rpl b/testdata/val_cname_loop3.rpl
176 index fbd0d8ab..30e6abfb 100644
177 --- a/testdata/val_cname_loop3.rpl
178 +++ b/testdata/val_cname_loop3.rpl
179 @@ -5,6 +5,7 @@ server:
180 val-override-date: "20070916134226"
181 target-fetch-policy: "0 0 0 0 0"
183 + trust-anchor-signaling: no
187 @@ -113,7 +114,7 @@ SECTION QUESTION
188 www.example.com. IN A
190 www.example.com. IN CNAME foo.example.com.
191 -www.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854}
192 +www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg=
196 @@ -126,7 +127,7 @@ SECTION QUESTION
197 foo.example.com. IN A
199 foo.example.com. IN CNAME bar.example.com.
200 -foo.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFFMlXuWrNL/8aYOl9U9WYjgif8gAAhUAqsC/xOXakHP1SYxMSLANziOik94= ;{id = 2854}
201 +foo.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AILRq+NAK+k+qCNJAmByoTAkGNveSHT+au0u360OeUa56b8zU7gi6+I=
205 @@ -139,7 +140,7 @@ SECTION QUESTION
206 bar.example.com. IN A
208 bar.example.com. IN CNAME www.example.com.
209 -bar.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFAsalUJJSV86uPlfiGS3kKDc0JB7AhQ+qmHqagY/r36Re/J3Q1OfvcA1dA== ;{id = 2854}
210 +bar.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AKA7eO4DAGPB8vg/OdBLk41/2txpklOJrszT8Gvp+UOVSLYtddNGz+k=
214 @@ -156,10 +157,13 @@ ENTRY_END
218 -REPLY QR RD RA SERVFAIL
219 +REPLY QR RD RA NOERROR
221 www.example.com. IN A
223 +www.example.com. 3600 IN CNAME foo.example.com.
224 +foo.example.com. 3600 IN CNAME bar.example.com.
225 +bar.example.com. 3600 IN CNAME www.example.com.
229 diff --git a/validator/validator.c b/validator/validator.c
230 index a924a3f8..81d67cd3 100644
231 --- a/validator/validator.c
232 +++ b/validator/validator.c
233 @@ -1529,6 +1529,22 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
234 if(verbosity >= VERB_ALGO)
235 log_dns_msg("chased extract", &vq->qchase,
237 + /* we skipped cnames, and now the reply is empty, is this
239 + if(vq->rrset_skip > 0 && vq->chase_reply->rrset_count == 0) {
240 + if(reply_find_rrset_section_an(vq->orig_msg->rep,
241 + lookup_name, lookup_len, LDNS_RR_TYPE_CNAME,
242 + vq->qchase.qclass)) {
244 + lock_basic_unlock(&anchor->lock);
246 + verbose(VERB_ALGO, "validator: encountered "
247 + "CNAME loop - terminating");
248 + vq->chase_reply->security = vq->orig_msg->rep->security;
249 + vq->state = VAL_FINISHED_STATE;
255 vq->key_entry = key_cache_obtain(ve->kcache, lookup_name, lookup_len,