Don't cache DNS data from non-recursive nameservers.

CHANGELOG

@@ -77,6 +77,10 @@ version 2.61
 	    Tweak logo/favicon.ico to add some transparency. Thanks to
 	    SamLT for work on this.
 	    
+	    Don't cache data from non-recursive nameservers, since it
+	    may erroneously look like a valid CNAME to a non-exitant
+	    name. Thanks to Ben Winslow for finding this.
+	    
 
 version 2.60
             Fix compilation problem in Mac OS X Lion. Thanks to Olaf

src/rfc1035.c

@@ -1003,10 +1003,16 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 	}
     }
   
-  /* Don't put stuff from a truncated packet into the cache,
-     also don't cache replies where DNSSEC validation was turned off, either
-     the upstream server told us so, or the original query specified it. */
-  if (!(header->hb3 & HB3_TC) && !(header->hb4 & HB4_CD) && !checking_disabled)
+  /* Don't put stuff from a truncated packet into the cache.
+     Don't cache replies where DNSSEC validation was turned off, either
+     the upstream server told us so, or the original query specified it. 
+     Don't cache replies from non-recursive nameservers, since we may get a 
+     reply containing a CNAME but not its target, even though the target 
+     does exist. */
+  if (!(header->hb3 & HB3_TC) && 
+      !(header->hb4 & HB4_CD) &&
+      (header->hb4 & HB4_RA) &&
+      !checking_disabled)
     cache_end_insert();
 
   return 0;