From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 4 Apr 2023 08:06:16 +0000 (+0200)
Subject: - Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing
X-Git-Tag: release-1.19.0rc1~38^2~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c7618a9b80857bd8b651f40324f5731b0e00d5b6;p=thirdparty%2Funbound.git

- Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing
  CNAME record.
---

diff --git a/doc/Changelog b/doc/Changelog
index e4bc11f90..fe427e7b1 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+4 April 2023: Wouter
+	- Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing
+	  CNAME record.
+
 24 March 2023: Philip
 	- Fix issue #676: Unencrypted query is sent when
 	  forward-tls-upstream: yes is used without tls-cert-bundle
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 5f2703f3c..047160e42 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2879,7 +2879,7 @@ static int
 processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 	struct iter_env* ie, int id)
 {
-	int dnsseclame = 0;
+	int dnsseclame = 0, origtypecname = 0;
 	enum response_type type;
 
 	iq->num_current_queries--;
@@ -2962,6 +2962,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		/* YXDOMAIN is a permanent error, no need to retry */
 		type = RESPONSE_TYPE_ANSWER;
 	}
+	if(type == RESPONSE_TYPE_CNAME)
+		origtypecname = 1;
 	if(type == RESPONSE_TYPE_CNAME && iq->response->rep->an_numrrsets >= 1
 		&& ntohs(iq->response->rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_DNAME) {
 		uint8_t* sname = NULL;
@@ -3047,11 +3049,14 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 				iq->minimisation_state = DONOT_MINIMISE_STATE;
 			}
 			if(FLAGS_GET_RCODE(iq->response->rep->flags) ==
-				LDNS_RCODE_NXDOMAIN) {
+				LDNS_RCODE_NXDOMAIN && !origtypecname) {
 				/* Stop resolving when NXDOMAIN is DNSSEC
 				 * signed. Based on assumption that nameservers
 				 * serving signed zones do not return NXDOMAIN
 				 * for empty-non-terminals. */
+				/* If this response is actually a CNAME type,
+				 * the nxdomain rcode may not be for the qname,
+				 * and so it is not the final response. */
 				if(iq->dnssec_expected)
 					return final_state(iq);
 				/* Make subrequest to validate intermediate