From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 15 Jun 2026 14:26:35 +0000 (+0200)
Subject: - Fix erroneous DNS error report values after bogus AAAA
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=69524cadad01f6b3da2f7e4bab4106a617fd56bf;p=thirdparty%2Funbound.git

- Fix erroneous DNS error report values after bogus AAAA
  query caused error information that was not cleared by
  a successful A subquery. Thanks to Qifan Zhang, Palo Alto
  Networks, for the report.
---

diff --git a/dns64/dns64.c b/dns64/dns64.c
index 4b1c20270..8431f556a 100644
--- a/dns64/dns64.c
+++ b/dns64/dns64.c
@@ -1017,6 +1017,9 @@ dns64_inform_super(struct module_qstate* qstate, int id,
 	if (super->return_rcode != LDNS_RCODE_NOERROR)
 		super->return_rcode = qstate->return_rcode;
 
+	/* Since the super qstate has a new response, its errinf is removed. */
+	super->errinf = NULL;
+
 	/* Generate a response suitable for the original query. */
 	if (qstate->qinfo.qtype == LDNS_RR_TYPE_A) {
 		dns64_adjust_a(id, super, qstate);
diff --git a/doc/Changelog b/doc/Changelog
index a87ca8849..0b67da850 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -27,6 +27,10 @@
 	  Qifan Zhang, Palo Alto Networks, for the report.
 	- Fix integer overflow in infra-cache-max-rtt calculation.
 	  Thanks to Qifan Zhang, Palo Alto Networks, for the report.
+	- Fix erroneous DNS error report values after bogus AAAA
+	  query caused error information that was not cleared by
+	  a successful A subquery. Thanks to Qifan Zhang, Palo Alto
+	  Networks, for the report.
 
 12 June 2026: Wouter
 	- Fix that for auth-zone and rpz zones the allow-notify
diff --git a/services/mesh.c b/services/mesh.c
index 2347bcee2..a2618b477 100644
--- a/services/mesh.c
+++ b/services/mesh.c
@@ -1793,7 +1793,8 @@ void mesh_query_done(struct mesh_state* mstate)
 		}
 	}
 
-	if(mstate->reply_list && mstate->s.env->cfg->dns_error_reporting)
+	if(mstate->reply_list && mstate->s.env->cfg->dns_error_reporting
+		&& (!rep || rep->security != sec_status_secure))
 		dns_error_reporting(&mstate->s, rep);
 
 	for(r = mstate->reply_list; r; r = r->next) {