- Fix that cachedb aggressive negative responses have the RA flag set.

diff --git a/doc/Changelog b/doc/Changelog
index 4c96c99b83ac0e2f4070b53a59abff7a84f8a59d..412b59bc7b2de37384ddbe9a616700ef976080ad 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -3,6 +3,9 @@
          zones. Fixed by including the ZONEMD RRtype in the list of types to
          ignore for RPZ zones. Analysis and patch provided by ummeegge.
 
+16 February 2026: Wouter
+       - Fix that cachedb aggressive negative responses have the RA flag set.
+
 11 February 2026: Wouter
        - Fix #1403: Inconsistency between do-nat64 and do-not-query-address
          during retries.

diff --git a/validator/val_neg.c b/validator/val_neg.c
index 7817d56fcc2e631b848c21d5c86a7d6a3654cd07..66fd818994ed81e16b64c909501c088f9244b95a 100644 (file)
--- a/validator/val_neg.c
+++ b/validator/val_neg.c
@@ -1289,6 +1289,8 @@ neg_nsec3_proof_ds(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len,
                if(!(msg = dns_msg_create(qname, qname_len, 
                        LDNS_RR_TYPE_DS, zone->dclass, region, 1))) 
                        return NULL;
+               /* The cache response means recursion is available. */
+               msg->rep->flags |= BIT_RA;
                /* TTL reduced in grab_nsec */
                if(!dns_msg_authadd(msg, region, ce_rrset, 0)) 
                        return NULL;
@@ -1323,6 +1325,8 @@ neg_nsec3_proof_ds(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len,
                if(!(msg = dns_msg_create(qname, qname_len, 
                        LDNS_RR_TYPE_DS, zone->dclass, region, 3))) 
                        return NULL;
+               /* The cache response means recursion is available. */
+               msg->rep->flags |= BIT_RA;
                /* now=0 because TTL was reduced in grab_nsec */
                if(!dns_msg_authadd(msg, region, ce_rrset, 0)) 
                        return NULL;
@@ -1413,6 +1417,8 @@ val_neg_getmsg(struct val_neg_cache* neg, struct query_info* qinfo,
                if(!(msg = dns_msg_create(qinfo->qname, qinfo->qname_len, 
                        qinfo->qtype, qinfo->qclass, region, 2))) 
                        return NULL;
+               /* The cache response means recursion is available. */
+               msg->rep->flags |= BIT_RA;
                if(!dns_msg_authadd(msg, region, nsec, 0)) 
                        return NULL;
                if(addsoa && !add_soa(rrset_cache, now, region, msg, NULL))
@@ -1426,6 +1432,8 @@ val_neg_getmsg(struct val_neg_cache* neg, struct query_info* qinfo,
                if(!(msg = dns_msg_create(qinfo->qname, qinfo->qname_len, 
                        qinfo->qtype, qinfo->qclass, region, 3))) 
                        return NULL;
+               /* The cache response means recursion is available. */
+               msg->rep->flags |= BIT_RA;
                if(!(ce = nsec_closest_encloser(qinfo->qname, nsec)))
                        return NULL;
                dname_count_size_labels(ce, &ce_len);