Clear serve-stale flags when following the CNAME chains

A stale answer or SERVFAIL could have been served in case of multiple
upstream failures when following the CNAME chains. This has been fixed.

(cherry picked from commit d46277b398abc4f226002515f457da77e00878f9)

diff --git a/lib/ns/query.c b/lib/ns/query.c
index a07eae3298d15cc262d67fbac61be7461abb2a26..851c1ace54e099206a6c66cb0b1c01351485b917 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5780,6 +5780,8 @@ root_key_sentinel_detect(query_ctx_t *qctx) {
 isc_result_t
 ns__query_start(query_ctx_t *qctx) {
        isc_result_t result = ISC_R_UNSET;
+       ns_client_t *client = qctx->client;
+
        CCTRACE(ISC_LOG_DEBUG(3), "ns__query_start");
        qctx->want_restart = false;
        qctx->authoritative = false;
@@ -5788,6 +5790,13 @@ ns__query_start(query_ctx_t *qctx) {
        qctx->need_wildcardproof = false;
        qctx->rpz = false;
 
+       /*
+        * Clean existing stale options in case ns__query_start was restarted
+        * due to the CNAME/DNAME chains.
+        */
+       client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT |
+                                    DNS_DBFIND_STALEOK);
+
        CALL_HOOK(NS_QUERY_START_BEGIN, qctx);
 
        /*