From: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com>
Date: Sun, 14 Aug 2022 13:42:38 +0000 (+0200)
Subject: Check setting only once per loop, avoid DB lookups
X-Git-Tag: rec-4.8.0-alpha1~28^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f16a341fcee15e0fe66ac5ff227a70c8158eeaa8;p=thirdparty%2Fpdns.git

Check setting only once per loop, avoid DB lookups
---

diff --git a/docs/settings.rst b/docs/settings.rst
index b58aaa8184..142a4822a3 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -289,7 +289,7 @@ signatures in the SOA response.
 
 In some problematic scenarios, primary servers send truncated SOA responses. As a workaround, this setting
 can be turned off, and the DO flag as well as the signature checking will be disabled. To avoid additional
-drift, primary servers then must always increase the zone serial on signature changes.
+drift, primary servers must then always increase the zone serial when it updates signatures.
 
 It is strongly recommended to keep this setting enabled (`yes`).
 
diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc
index 991c98e0c1..74cfabb87d 100644
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -1154,6 +1154,7 @@ void CommunicatorClass::slaveRefresh(PacketHandler *P)
   }
   sdomains.reserve(rdomains.size());
   DNSSECKeeper dk(B); // NOW HEAR THIS! This DK uses our B backend, so no interleaved access!
+  bool checkSignatures = ::arg().mustDo("secondary-check-signature-freshness") && dk.doesDNSSEC();
   {
     auto data = d_data.lock();
     domains_by_name_t& nameindex=boost::multi_index::get<IDTag>(data->d_suckdomains);
@@ -1181,12 +1182,8 @@ void CommunicatorClass::slaveRefresh(PacketHandler *P)
       }
 
       DomainNotificationInfo dni;
-      dni.di=di;
-      if (::arg().mustDo("secondary-check-signature-freshness")) {
-        dni.dnssecOk = dk.doesDNSSEC();
-      } else {
-        dni.dnssecOk = false;
-      }
+      dni.di = di;
+      dni.dnssecOk = checkSignatures;
 
       if(dk.getTSIGForAccess(di.zone, sr.master, &dni.tsigkeyname)) {
         string secret64;
@@ -1331,7 +1328,7 @@ void CommunicatorClass::slaveRefresh(PacketHandler *P)
     }
     else if(hasSOA && theirserial == ourserial) {
       uint32_t maxExpire=0, maxInception=0;
-      if(dk.isPresigned(di.zone) && ::arg().mustDo("secondary-check-signature-freshness")) {
+      if(checkSignatures && dk.isPresigned(di.zone)) {
         B->lookup(QType(QType::RRSIG), di.zone, di.id); // can't use DK before we are done with this lookup!
         DNSZoneRecord zr;
         while(B->get(zr)) {