From: bert hubert <bert.hubert@netherlabs.nl>
Date: Wed, 11 Apr 2018 08:15:57 +0000 (+0200)
Subject: aj reported that we increase "dnssec-validations" counter even when running
X-Git-Tag: dnsdist-1.3.1~166^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3b54c577c8ba3a46cc4e9b7bf281b9e6eff7fb44;p=thirdparty%2Fpdns.git

aj reported that we increase "dnssec-validations" counter even when running
with process-no-validate.  This can be caused by us receiving queries for
special names ('localhost', 'version.bind') which we explicitly mark as
Insecure. This led our statistics to conclude a validation attempt had taken place.
This commit puts the update check behind 'shouldValidate()'.
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index e4357201ad..4415c59cf7 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -140,10 +140,10 @@ int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qcl
   int res=doResolve(qname, qtype, ret, 0, beenthere, state);
   d_queryValidationState = state;
 
-  if (d_queryValidationState != Indeterminate) {
-    g_stats.dnssecValidations++;
-  }
   if (shouldValidate()) {
+    if (d_queryValidationState != Indeterminate) {
+      g_stats.dnssecValidations++;
+    }
     increaseDNSSECStateCounter(d_queryValidationState);
   }