From d1fbb77e0f6653a9838db84c1b0ef1e529cda441 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 1 Mar 2014 20:08:58 +0000
Subject: Don't cache secure replies which we've messsed with.

---
 src/rfc1035.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/rfc1035.c b/src/rfc1035.c
index 15b4261..3f13369 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -917,8 +917,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
       searched_soa = 1;
       ttl = find_soa(header, qlen, name, doctored);
 #ifdef HAVE_DNSSEC
-      if (*doctored)
-	secure = 0;
+      if (*doctored && secure)
+	return 0;
 #endif
     }
   
@@ -988,9 +988,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 		      
 		      if (aqtype == T_CNAME)
 			{
-			  if (!cname_count--)
-			    return 0; /* looped CNAMES */
-			  secflag = 0; /* no longer DNSSEC */
+			  if (!cname_count-- || secure)
+			    return 0; /* looped CNAMES, or DNSSEC, which we can't cache. */
 			  goto cname_loop;
 			}
 		      
-- 
cgit v1.2.1