From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Fri, 28 Jan 2022 13:26:36 +0000 (+0100)
Subject: If we get a CNAME when asking for a DS, we should give up and return vState::BogusUna... 
X-Git-Tag: auth-4.7.0-alpha1~39^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=271ae639803453a6193b6c3c2baf034446a9965a;p=thirdparty%2Fpdns.git

If we get a CNAME when asking for a DS, we should give up and return vState::BogusUnableToGetDSs
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 4daa7440bd..3358831a44 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2904,12 +2904,18 @@ vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname
         state = vState::BogusSelfSignedDS;
         dsFailed = true;
       }
-      else if (qtype == QType::DS && signer == qname && !signer.isRoot() && (type == QType::SOA || type == QType::NSEC || type == QType::NSEC3)) {
+      else if (qtype == QType::DS && signer == qname && !signer.isRoot()) {
+        if (type == QType::SOA || type == QType::NSEC || type == QType::NSEC3) {
         /* if we are trying to validate the DS or more likely NSEC(3)s proving that it does not exist, we have a problem.
            In that case let's go Bogus (we will check later if we missed a cut)
         */
-        state = vState::BogusSelfSignedDS;
-        dsFailed = true;
+          state = vState::BogusSelfSignedDS;
+          dsFailed = true;
+        }
+        else if (type == QType::CNAME) {
+          state = vState::BogusUnableToGetDSs;
+          dsFailed = true;
+        }
       }
       else if (qtype == QType::DNSKEY && signer == qname) {
         /* that actually does happen when a server returns NS records in authority