Fix TTL issue with ANY queries processed through RPZ "passthru"

Answers to an "ANY" query which are processed by the RPZ "passthru"
policy have the response-policy's 'max-policy-ttl' value unexpectedly
applied. Do not change the records' TTL when RPZ uses a policy which
does not alter the answer.

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 35193b9c1718aa979b6f32295679b5f7bd9b2f18..2bc3fc45e97be537d4b837b48c85ed1c88cf0228 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -7757,7 +7757,10 @@ query_respond_any(query_ctx_t *qctx) {
                        }
 
                        qctx->rpz_st = qctx->client->query.rpz_st;
-                       if (qctx->rpz_st != NULL) {
+                       if (qctx->rpz_st != NULL &&
+                           qctx->rpz_st->m.policy != DNS_RPZ_POLICY_MISS &&
+                           qctx->rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU)
+                       {
                                qctx->rdataset->ttl =
                                        ISC_MIN(qctx->rdataset->ttl,
                                                qctx->rpz_st->m.ttl);