- Fix #761: DNSSEC LAME false positive resolving nic.club.

git-svn-id: file:///svn/unbound/trunk@3720 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-20 23:00:56 -05:00 · 2016-05-18 14:09:12 +00:00 · 2016-05-18 14:09:12 +00:00 · 3d60a6f446
commit 3d60a6f446
parent feb1b86d1c
3 changed files with 7 additions and 0 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,6 @@
+18 May 2016: Wouter
+	- Fix #761: DNSSEC LAME false positive resolving nic.club.
+
 17 May 2016: Wouter
 	- trunk updated with output of flex 2.6.0.

--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@ -2174,6 +2174,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 	}
 	if(iq->dnssec_expected && !iq->dnssec_lame_query &&
 		!(iq->chase_flags&BIT_RD) 
+		&& iq->sent_count < DNSSEC_LAME_DETECT_COUNT
 		&& type != RESPONSE_TYPE_LAME 
 		&& type != RESPONSE_TYPE_REC_LAME 
 		&& type != RESPONSE_TYPE_THROWAWAY 
--- a/iterator/iterator.h
+++ b/iterator/iterator.h
@ -61,6 +61,9 @@ struct rbtree_t;
 #define MAX_REFERRAL_COUNT	130
 /** max number of queries-sent-out.  Make sure large NS set does not loop */
 #define MAX_SENT_COUNT		32
+/** max number of queries for which to perform dnsseclameness detection,
+ * (rrsigs misssing detection) after that, just pick up that response */
+#define DNSSEC_LAME_DETECT_COUNT 4
 /**
 * max number of QNAME minimisation iterations. Limits number of queries for
 * QNAMEs with a lot of labels.