From 04cc2ae1a605c9b9d346d010178abf597fd0fe77 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Fri, 19 Aug 2022 13:28:00 +0100 Subject: Fix logic when a SERVFAIL reply is received after good replt for DNSSEC. If we get a SERVFAIL or REFUSED answer to a DNSSEC query for which we already have a good answer, just ignore it. --- src/forward.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/forward.c b/src/forward.c index f90be2f..8562b2d 100644 --- a/src/forward.c +++ b/src/forward.c @@ -1073,12 +1073,15 @@ void reply_query(int fd, time_t now) size_t nn = 0; #ifdef HAVE_DNSSEC - /* DNSSEC queries have a copy of the original query stashed. - The query MAY have got a good answer, and be awaiting + /* The query MAY have got a good answer, and be awaiting the results of further queries, in which case The Stash contains something else and we don't need to retry anyway. */ - if ((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) && !forward->blocking_query) + if (forward->blocking_query) + return; + + if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) { + /* DNSSEC queries have a copy of the original query stashed. */ blockdata_retrieve(forward->stash, forward->stash_len, (void *)header); nn = forward->stash_len; udp_size = daemon->edns_pktsz; -- cgit v1.2.1