Don't cache DNS data from non-recursive nameservers.
diff --git a/CHANGELOG b/CHANGELOG
index 5e78f5e..c100d97 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -77,6 +77,10 @@
Tweak logo/favicon.ico to add some transparency. Thanks to
SamLT for work on this.
+ Don't cache data from non-recursive nameservers, since it
+ may erroneously look like a valid CNAME to a non-exitant
+ name. Thanks to Ben Winslow for finding this.
+
version 2.60
Fix compilation problem in Mac OS X Lion. Thanks to Olaf
diff --git a/src/rfc1035.c b/src/rfc1035.c
index ea7678b..15abc25 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1003,10 +1003,16 @@
}
}
- /* Don't put stuff from a truncated packet into the cache,
- also don't cache replies where DNSSEC validation was turned off, either
- the upstream server told us so, or the original query specified it. */
- if (!(header->hb3 & HB3_TC) && !(header->hb4 & HB4_CD) && !checking_disabled)
+ /* Don't put stuff from a truncated packet into the cache.
+ Don't cache replies where DNSSEC validation was turned off, either
+ the upstream server told us so, or the original query specified it.
+ Don't cache replies from non-recursive nameservers, since we may get a
+ reply containing a CNAME but not its target, even though the target
+ does exist. */
+ if (!(header->hb3 & HB3_TC) &&
+ !(header->hb4 & HB4_CD) &&
+ (header->hb4 & HB4_RA) &&
+ !checking_disabled)
cache_end_insert();
return 0;