1546. [bug] We were rejecting valid secure CNAME to negative

answers.
reviewed: explorer

CHANGES

@@ -1,3 +1,6 @@
+1546.	[bug]		We were rejecting valid secure CNAME to negative
+			answers.
+
 1545.	[bug]		It was possible to leak memory if named was unable to
 			bind to the specified transfer source and TSIG was
 			being used. [RT #10120]

lib/dns/resolver.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.272 2003/10/26 21:33:47 marka Exp $ */
+/* $Id: resolver.c,v 1.273 2004/01/05 05:42:16 marka Exp $ */
 
 #include <config.h>
 
@@ -4356,21 +4356,20 @@ answer_response(fetchctx_t *fctx) {
 				 * We could add an "else" clause here and
 				 * log that we're ignoring this rdataset.
 				 */
-				
-				/*
-				 * If wanted_chaining is true, we've done
-				 * some chaining as the result of processing
-				 * this node, and thus we need to set
-				 * chaining to true.
-				 *
-				 * We don't set chaining inside of the
-				 * rdataset loop because doing that would
-				 * cause us to ignore the signatures of
-				 * CNAMEs.
-				 */
-				if (wanted_chaining)
-					chaining = ISC_TRUE;
 			}
+			/*
+			 * If wanted_chaining is true, we've done
+			 * some chaining as the result of processing
+			 * this node, and thus we need to set
+			 * chaining to true.
+			 *
+			 * We don't set chaining inside of the
+			 * rdataset loop because doing that would
+			 * cause us to ignore the signatures of
+			 * CNAMEs.
+			 */
+			if (wanted_chaining)
+				chaining = ISC_TRUE;
 		} else {
 			/*
 			 * Look for a DNAME (or its SIG).  Anything else is
@@ -4508,7 +4507,7 @@ answer_response(fetchctx_t *fctx) {
 	/*
 	 * Did chaining end before we got the final answer?
 	 */
-	if (want_chaining) {
+	if (chaining) {
 		/*
 		 * Yes.  This may be a negative reply, so hand off
 		 * authority section processing to the noanswer code.