From 8ed7b45ed5625af6349fdd2f9b3aba6ec82a583e Mon Sep 17 00:00:00 2001
From: bert hubert <bert.hubert@powerdns.com>
Date: Fri, 2 Oct 2015 15:29:43 +0200
Subject: [PATCH] fix double RRSIGs on CNAMEs on first query

---
 pdns/syncres.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index d8e6683c18..e967d76bdc 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1204,7 +1204,8 @@ int SyncRes::doResolveAt(set<DNSName> nameservers, DNSName auth, bool flawedNSSe
           newtarget=DNSName(rec.d_content->getZoneRepresentation());
         }
 	else if(d_doDNSSEC && (rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSRecord::Answer){
-	  ret.push_back(rec); // enjoy your DNSSEC
+	  if(rec.d_type != QType::RRSIG || rec.d_name == qname)
+	    ret.push_back(rec); // enjoy your DNSSEC
 	}
         // for ANY answers we *must* have an authoritative answer, unless we are forwarding recursively
         else if(rec.d_place==DNSRecord::Answer && rec.d_name == qname &&
-- 
2.47.2