From 19d1e7b17da9cd86959bdd12d8ff0a5296300d2a Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 12 Jul 2016 15:09:34 +0200
Subject: [PATCH] Skip a level when a CNAME is found for the name

If we'd encounter a CNAME when chasing for DS/DNSKEY, we followed it and
concluded that the domain was bogus. We now skip this level and try to
get a DS record for the next name.

I'm unsure this is the correct solution, but it fixes #4158
---
 pdns/validate.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 8d9571ee9..bb90f41dd 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -381,7 +381,11 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
 
         for(const auto& v : validrrsets) {
           LOG("Do have: "<<v.first.first<<"/"<<DNSRecordContent::NumberToType(v.first.second)<<endl);
-          if(v.first.second==QType::NSEC) { // check that it covers us!
+          if(v.first.second==QType::CNAME) {
+            LOG("Found CNAME for "<< v.first.first << ", ignoring records at this level."<<endl);
+            goto skipLevel;
+          }
+          else if(v.first.second==QType::NSEC) { // check that it covers us!
             for(const auto& r : v.second.records) {
               LOG("\t"<<r->getZoneRepresentation()<<endl);
               auto nsec = std::dynamic_pointer_cast<NSECRecordContent>(r);
-- 
2.40.0