git.ipfire.org Git - thirdparty/pdns.git/commit

author	Remi Gacogne <remi.gacogne@powerdns.com>
	Tue, 17 Feb 2026 09:03:46 +0000 (10:03 +0100)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Thu, 2 Apr 2026 07:34:29 +0000 (09:34 +0200)
commit	f3bdfd86e74f68342fdae811b0dbb59e3ff220c8
tree	b2e4ccf435cdcaba5fcd32aa0b8cde5e8ec31007	tree \| snapshot
parent	e690856b48af4d2ba1c6002180b971ea27f0629b	commit \| diff

rec: Better handling of RFC5155 transitions in the aggressive NSEC cache

This commit ensures that we do not cache NSEC and NSEC3 records for the
same zone at the same time, which could lead to surprises during
NSEC -> NSEC3 or NSEC3 -> NSEC transitions as described in RFC5155 sections
10.4 and 10.5.
The existing code was correctly handling the NSEC -> NSEC3 transition
by clearing any existing NSEC records when a NSEC3 record was received
for a zone, but this behaviour could have been problematic for NSEC3
to NSEC transitions.
The new behaviour is to refuse to insert records during the transition,
keeping the existing entries until they expire.

This was reported by:
- Qifan Zhang (Palo Alto Networks) qzhang@paloaltonetworks.com
- Zilin Shen (Purdue University) shen624@purdue.edu
- Imtiaz Karim (The University of Texas at Dallas) imtiaz.karim@utdallas.edu
- Elisa Bertino (Purdue University) bertino@purdue.edu
- Daiping Liu (Palo Alto Networks) dpliu@paloaltonetworks.com
- Zhou Li (University of California, Irvine) zhou.li@uci.edu

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

pdns/recursordist/aggressive_nsec.cc		diff \| blob \| blame \| history
pdns/recursordist/aggressive_nsec.hh		diff \| blob \| blame \| history
pdns/recursordist/test-aggressive_nsec_cc.cc		diff \| blob \| blame \| history