Skip a level when a CNAME is found for the name

If we'd encounter a CNAME when chasing for DS/DNSKEY, we followed it and
concluded that the domain was bogus. We now skip this level and try to
get a DS record for the next name.

I'm unsure this is the correct solution, but it fixes #4158

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 8d9571ee977bb7606b25559e30384ce13be11459..bb90f41dd193c4beeb07edecf79afa22342224f5 100644 (file)
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -381,7 +381,11 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
 
         for(const auto& v : validrrsets) {
           LOG("Do have: "<<v.first.first<<"/"<<DNSRecordContent::NumberToType(v.first.second)<<endl);
-          if(v.first.second==QType::NSEC) { // check that it covers us!
+          if(v.first.second==QType::CNAME) {
+            LOG("Found CNAME for "<< v.first.first << ", ignoring records at this level."<<endl);
+            goto skipLevel;
+          }
+          else if(v.first.second==QType::NSEC) { // check that it covers us!
             for(const auto& r : v.second.records) {
               LOG("\t"<<r->getZoneRepresentation()<<endl);
               auto nsec = std::dynamic_pointer_cast<NSECRecordContent>(r);