From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 21 May 2024 15:06:18 +0000 (+0200)
Subject: - Fix for #1064: Fix that cachedb expired messages are considered
X-Git-Tag: release-1.21.0rc1~76
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fbdc06ebc451aa27d45358e8c17cf458cb364132;p=thirdparty%2Funbound.git

- Fix for #1064: Fix that cachedb expired messages are considered
  insecure, and thus can be served to clients when dnssec is enabled.
---

diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c
index 0f3604576..0b355e0d3 100644
--- a/cachedb/cachedb.c
+++ b/cachedb/cachedb.c
@@ -745,6 +745,10 @@ cachedb_intcache_store(struct module_qstate* qstate, int msg_expired)
 		 * going to be now-3 seconds. Making it expired
 		 * in the cache. */
 		set_msg_ttl(qstate->return_msg, (time_t)-3);
+		/* The expired entry does not get checked by the validator
+		 * and we need a validation value for it. */
+		if(qstate->env->cfg->cachedb_check_when_serve_expired)
+			qstate->return_msg->rep->security = sec_status_insecure;
 	}
 	(void)dns_cache_store(qstate->env, &qstate->qinfo,
 		qstate->return_msg->rep, 0, qstate->prefetch_leeway, 0,
diff --git a/doc/Changelog b/doc/Changelog
index b66edae81..fb802d272 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -4,6 +4,8 @@
 	- Fix to print a parse error when config is read with no name for
 	  a forward-zone, stub-zone or view.
 	- Fix for parse end of forward-zone, stub-zone and view.
+	- Fix for #1064: Fix that cachedb expired messages are considered
+	  insecure, and thus can be served to clients when dnssec is enabled.
 
 17 May 2024: Yorgos
 	- Merge #1069: Fix unbound-control stdin commands for multi-process