From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Fri, 27 Aug 2021 08:33:21 +0000 (+0200)
Subject: - Fix #533: Negative responses get cached even when setting
X-Git-Tag: release-1.14.0rc1~55
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4b2799fdd6190f8e7c86ebc4bcb3e06031694a35;p=thirdparty%2Funbound.git

- Fix #533: Negative responses get cached even when setting
  cache-max-negative-ttl: 1
---

diff --git a/doc/Changelog b/doc/Changelog
index ef467c129..2758e9c52 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+27 August 2021: Wouter
+	- Fix #533: Negative responses get cached even when setting
+	  cache-max-negative-ttl: 1
+
 25 August 2021: Wouter
 	- Merge #401: RPZ triggers. This add additional RPZ triggers,
 	  unbound supports a full set of rpz triggers, and this now
diff --git a/util/data/msgreply.c b/util/data/msgreply.c
index 4f6d3398b..16441a79d 100644
--- a/util/data/msgreply.c
+++ b/util/data/msgreply.c
@@ -222,13 +222,17 @@ rdata_copy(sldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to,
 		 * minimum-ttl in the rdata of the SOA record */
 		if(*rr_ttl > soa_find_minttl(rr))
 			*rr_ttl = soa_find_minttl(rr);
-		if(*rr_ttl > MAX_NEG_TTL)
-			*rr_ttl = MAX_NEG_TTL;
 	}
 	if(!SERVE_ORIGINAL_TTL && (*rr_ttl < MIN_TTL))
 		*rr_ttl = MIN_TTL;
 	if(!SERVE_ORIGINAL_TTL && (*rr_ttl > MAX_TTL))
 		*rr_ttl = MAX_TTL;
+	if(type == LDNS_RR_TYPE_SOA && section == LDNS_SECTION_AUTHORITY) {
+		/* max neg ttl overrides the min and max ttl of everything
+		 * else, it is for a more specific record */
+		if(*rr_ttl > MAX_NEG_TTL)
+			*rr_ttl = MAX_NEG_TTL;
+	}
 	if(*rr_ttl < data->ttl)
 		data->ttl = *rr_ttl;