From 3b54c577c8ba3a46cc4e9b7bf281b9e6eff7fb44 Mon Sep 17 00:00:00 2001
From: bert hubert <bert.hubert@netherlabs.nl>
Date: Wed, 11 Apr 2018 10:15:57 +0200
Subject: [PATCH] aj reported that we increase "dnssec-validations" counter
 even when running with process-no-validate.  This can be caused by us
 receiving queries for special names ('localhost', 'version.bind') which we
 explicitly mark as Insecure. This led our statistics to conclude a validation
 attempt had taken place. This commit puts the update check behind
 'shouldValidate()'.

---
 pdns/syncres.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index e4357201a..4415c59cf 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -140,10 +140,10 @@ int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qcl
   int res=doResolve(qname, qtype, ret, 0, beenthere, state);
   d_queryValidationState = state;
 
-  if (d_queryValidationState != Indeterminate) {
-    g_stats.dnssecValidations++;
-  }
   if (shouldValidate()) {
+    if (d_queryValidationState != Indeterminate) {
+      g_stats.dnssecValidations++;
+    }
     increaseDNSSECStateCounter(d_queryValidationState);
   }
 
-- 
2.40.0