- Fix #761: DNSSEC LAME false positive resolving nic.club.

git-svn-id: file:///svn/unbound/trunk@3720 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 807a56171970959ea0c835691d5c2d9cca05457f..cbc8c89705b53ef2b103cf4d009aa702891cb75b 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+18 May 2016: Wouter
+       - Fix #761: DNSSEC LAME false positive resolving nic.club.
+
 17 May 2016: Wouter
        - trunk updated with output of flex 2.6.0.
 

diff --git a/iterator/iterator.c b/iterator/iterator.c
index 421ddf5b141eb854ef23ccbef59a282135e79ec8..d3022c4a7b4cc0cff4c1ed84c5803aee222a7cf1 100644 (file)
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2174,6 +2174,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
        }
        if(iq->dnssec_expected && !iq->dnssec_lame_query &&
                !(iq->chase_flags&BIT_RD) 
+               && iq->sent_count < DNSSEC_LAME_DETECT_COUNT
                && type != RESPONSE_TYPE_LAME 
                && type != RESPONSE_TYPE_REC_LAME 
                && type != RESPONSE_TYPE_THROWAWAY 

diff --git a/iterator/iterator.h b/iterator/iterator.h
index 42c620dbe1e4c3ca594eec1ef2fa4004dfb98512..7c32a74f800baf377bf7d9dbf0111940c3582dd4 100644 (file)
--- a/iterator/iterator.h
+++ b/iterator/iterator.h
@@ -61,6 +61,9 @@ struct rbtree_t;
 #define MAX_REFERRAL_COUNT     130
 /** max number of queries-sent-out.  Make sure large NS set does not loop */
 #define MAX_SENT_COUNT         32
+/** max number of queries for which to perform dnsseclameness detection,
+ * (rrsigs misssing detection) after that, just pick up that response */
+#define DNSSEC_LAME_DETECT_COUNT 4
 /**
  * max number of QNAME minimisation iterations. Limits number of queries for
  * QNAMEs with a lot of labels.