From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Tue, 5 Sep 2023 08:40:27 +0000 (+0200)
Subject: The proper "expired" test is ttd <= now
X-Git-Tag: rec-4.9.2~8^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c44bdaf3d820bd6a766e12ca33a1c4e09a89d6c9;p=thirdparty%2Fpdns.git

The proper "expired" test is ttd <= now

(cherry picked from commit 17806638ce9ae1643d881faa7328a85f98eeb265)
---

diff --git a/pdns/recursordist/aggressive_nsec.cc b/pdns/recursordist/aggressive_nsec.cc
index 22fe68aad8..c22d81ea61 100644
--- a/pdns/recursordist/aggressive_nsec.cc
+++ b/pdns/recursordist/aggressive_nsec.cc
@@ -140,7 +140,7 @@ void AggressiveNSECCache::prune(time_t now)
     const auto toLookAtForThisZone = (zoneEntry->d_entries.size() + 9) / 10;
     uint64_t lookedAt = 0;
     for (auto it = sidx.begin(); it != sidx.end() && lookedAt < toLookAtForThisZone; ++lookedAt) {
-      if (it->d_ttd < now) {
+      if (it->d_ttd <= now) {
         it = sidx.erase(it);
         ++erased;
       }