- Fix that looped DNAMEs do not cause unbound to spend effort.

git-svn-id: file:///svn/unbound/trunk@4055 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -3,6 +3,7 @@
 	- Add trustanchor.unbound CH TXT that gets a response with a number
 	  of TXT RRs with a string like "example.com. 2345 1234" with
 	  the trust anchors and their keytags.
+	- Fix that looped DNAMEs do not cause unbound to spend effort.
 
 13 March 2017: Wouter
 	- testbound understands Deckard MATCH rcode question answer commands.

iterator/iterator.c

@@ -2263,6 +2263,17 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		/* YXDOMAIN is a permanent error, no need to retry */
 		type = RESPONSE_TYPE_ANSWER;
 	}
+	if(type == RESPONSE_TYPE_CNAME && iq->response->rep->an_numrrsets >= 1
+		&& ntohs(iq->response->rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_DNAME) {
+		uint8_t* sname = NULL;
+		size_t snamelen = 0;
+		get_cname_target(iq->response->rep->rrsets[0], &sname,
+			&snamelen);
+		if(snamelen && dname_subdomain_c(sname, iq->response->rep->rrsets[0]->rk.dname)) {
+			/* DNAME to a subdomain loop; do not recurse */
+			type = RESPONSE_TYPE_ANSWER;
+		}
+	}
 
 	/* handle each of the type cases */
 	if(type == RESPONSE_TYPE_ANSWER) {

testdata/iter_dname_insec.rpl

@@ -691,9 +691,12 @@ STEP 220902 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA DO
-REPLY SERVFAIL
+REPLY NOERROR
 SECTION QUESTION
 cyc.example.com. IN A
+SECTION ANSWER
+example.com.	0	IN	DNAME	example.com.
+cyc.example.com.	0	IN	CNAME	cyc.example.com.
 ENTRY_END
 
 ; ns1.example.com.