Don't cache secure replies which we've messsed with.

author: Simon Kelley <simon@thekelleys.org.uk> 2014-03-01 20:08:58 +0000
committer: Simon Kelley <simon@thekelleys.org.uk> 2014-03-01 20:08:58 +0000
commit: d1fbb77e0f6653a9838db84c1b0ef1e529cda441 (patch)
tree: e2cb1bf330e6987d6e235e098cb8e28e63274451
parent: 1fbe4d2f5ff8389ae8c721f50ac99cb94f0012f0 (diff)
download: dnsmasq-d1fbb77e0f6653a9838db84c1b0ef1e529cda441.tar.gz
1 files changed, 4 insertions, 5 deletions
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 15b4261..3f13369 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -917,8 +917,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
       searched_soa = 1;
       ttl = find_soa(header, qlen, name, doctored);
 #ifdef HAVE_DNSSEC
-      if (*doctored)
-	secure = 0;
+      if (*doctored && secure)
+	return 0;
 #endif
     }
   
@@ -988,9 +988,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 		      
 		      if (aqtype == T_CNAME)
 			{
-			  if (!cname_count--)
-			    return 0; /* looped CNAMES */
-			  secflag = 0; /* no longer DNSSEC */
+			  if (!cname_count-- || secure)
+			    return 0; /* looped CNAMES, or DNSSEC, which we can't cache. */
 			  goto cname_loop;
 			}
author	Simon Kelley <simon@thekelleys.org.uk>	2014-03-01 20:08:58 +0000
committer	Simon Kelley <simon@thekelleys.org.uk>	2014-03-01 20:08:58 +0000
commit	d1fbb77e0f6653a9838db84c1b0ef1e529cda441 (patch)
tree	e2cb1bf330e6987d6e235e098cb8e28e63274451
parent	1fbe4d2f5ff8389ae8c721f50ac99cb94f0012f0 (diff)
download	dnsmasq-d1fbb77e0f6653a9838db84c1b0ef1e529cda441.tar.gz