From: Aram Sargsyan <aram@isc.org>
Date: Wed, 26 Feb 2025 13:32:20 +0000 (+0000)
Subject: Fix TTL issue with ANY queries processed through RPZ "passthru"
X-Git-Tag: ondrej/lock-free-qpzone-reads-v1~19^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5633dc90d3f4d3e2bd4d461e07fcd8d611843e7f;p=thirdparty%2Fbind9.git

Fix TTL issue with ANY queries processed through RPZ "passthru"

Answers to an "ANY" query which are processed by the RPZ "passthru"
policy have the response-policy's 'max-policy-ttl' value unexpectedly
applied. Do not change the records' TTL when RPZ uses a policy which
does not alter the answer.
---

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 35193b9c171..2bc3fc45e97 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -7757,7 +7757,10 @@ query_respond_any(query_ctx_t *qctx) {
 			}
 
 			qctx->rpz_st = qctx->client->query.rpz_st;
-			if (qctx->rpz_st != NULL) {
+			if (qctx->rpz_st != NULL &&
+			    qctx->rpz_st->m.policy != DNS_RPZ_POLICY_MISS &&
+			    qctx->rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU)
+			{
 				qctx->rdataset->ttl =
 					ISC_MIN(qctx->rdataset->ttl,
 						qctx->rpz_st->m.ttl);