rec: If new data is auth and old dat is not, upgrade even if cache locking is active

Followup to #11958

diff --git a/pdns/recursor_cache.cc b/pdns/recursor_cache.cc
index 8244976f9c1d9e0cf4f623a27982342d17272140..9caf9a187fd6a1f0d40252abe5e33ce5b679b446 100644 (file)
--- a/pdns/recursor_cache.cc
+++ b/pdns/recursor_cache.cc
@@ -502,6 +502,10 @@ bool MemRecursorCache::CacheEntry::shouldReplace(time_t now, bool auth, vState s
       /* the new entry is Bogus, the existing one is not and is still valid, let's keep the existing one */
       return false;
     }
+    // Always allow upgrade unauth data to auth
+    if (!d_auth) {
+      return true;
+    }
   }
 
   if (SyncRes::s_locked_ttlperc > 0) {

diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index 0505a17804d1b76d05c7c738e422f52d17542434..18d9f6207f5c1efbec736f87b9d23eddc212232a 100644 (file)
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -1707,6 +1707,7 @@ A value of 100 means only expired record sets will be replaced.
 There are a few cases where records will be replaced anyway:
 
 - Record sets that are expired will always be replaced.
+- Authoritative record sets will replace unauthoritative record sets unless DNSSEC validation of the new record set failed.
 - If the new record set belongs to a DNSSEC-secure zone and successfully passed validation it will replace an existing entry.
 - Record sets produced by :ref:`setting-refresh-on-ttl-perc` tasks will also replace existing record sets.