[master] fix rpz formerr loop

4531.	[security]	Some RPZ configurations could go into an infinite
			query loop when encountering responses with TTL=0.
			(CVE-2017-3140) [RT #45181]

CHANGES

@@ -1,3 +1,7 @@
+4531.	[security]	Some RPZ configurations could go into an infinite
+			query loop when encountering responses with TTL=0.
+			(CVE-2017-3140) [RT #45181]
+
 4530.	[bug]		"dyndb" is dependent on dlopen existing / being
 			enabled. [RT #45291]
 

bin/named/query.c

@@ -6428,7 +6428,7 @@ query_respond(query_ctx_t *qctx) {
 	/*
 	 * If we have a zero ttl from the cache, refetch.
 	 */
-	if (!qctx->is_zone && qctx->event == NULL &&
+	if (!qctx->is_zone && !qctx->resuming &&
 	    qctx->rdataset->ttl == 0 && RECURSIONOK(qctx->client))
 	{
 		qctx_clean(qctx);
@@ -7895,7 +7895,7 @@ query_cname(query_ctx_t *qctx) {
 	/*
 	 * If we have a zero ttl from the cache refetch it.
 	 */
-	if (!qctx->is_zone && qctx->event == NULL &&
+	if (!qctx->is_zone && !qctx->resuming &&
 	    qctx->rdataset->ttl == 0 && RECURSIONOK(qctx->client))
 	{
 		qctx_clean(qctx);

doc/arm/notes.xml

@@ -67,6 +67,14 @@
 
   <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
     <itemizedlist>
+      <listitem>
+	<para>
+	  With certain RPZ configurations, a response with TTL 0
+	  could cause <command>named</command> to go into an infinite
+	  query loop. This flaw is disclosed in CVE-2017-3140.
+	  [RT #45181]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  <command>rndc ""</command> could trigger an assertion failure