rec: when using ZTC, do not store non-auth data if the name is subject to recursive...

author Otto Moerbeek <otto.moerbeek@open-xchange.com>

Tue, 10 Jun 2025 07:02:47 +0000 (09:02 +0200)

committer Otto Moerbeek <otto.moerbeek@open-xchange.com>

Tue, 10 Jun 2025 08:43:40 +0000 (10:43 +0200)
author Otto Moerbeek <otto.moerbeek@open-xchange.com>
Tue, 10 Jun 2025 07:02:47 +0000 (09:02 +0200)
committer Otto Moerbeek <otto.moerbeek@open-xchange.com>
Tue, 10 Jun 2025 08:43:40 +0000 (10:43 +0200)
diff --git a/pdns/recursordist/rec-zonetocache.cc b/pdns/recursordist/rec-zonetocache.cc

index d4f71f14d1ae947b7db02b27c4d7b56a2eee4c03..1c5ccd31cd2324f5c944ba336740a0167284226a 100644 (file)
--- a/pdns/recursordist/rec-zonetocache.cc
+++ b/pdns/recursordist/rec-zonetocache.cc
@@ -418,8 +418,10 @@ void ZoneData::ZoneToCache(const RecZoneToCache::Config& config)
          sigsrr = iter->second;
        }
        bool auth = isRRSetAuth(qname, qtype);
-      // Same decision as updateCacheFromRecords() (we do not test for NSEC since we skip those completely)
-      if (auth || (qtype == QType::NS || qtype == QType::A || qtype == QType::AAAA || qtype == QType::DS)) {
+      // Same list as updateCacheFromRecords() (we do not test for NSEC since we skip those completely)
+      // Issue #15651
+      bool storeNonAuth = !SyncRes::isRecursiveForward(qname);
+      if (auth || (storeNonAuth && (qtype == QType::NS || qtype == QType::A || qtype == QType::AAAA || qtype == QType::DS))) {
          g_recCache->replace(d_now, qname, qtype, v, sigsrr, {},
                              auth, d_zone);
        }
diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc

index 6d29075199c56b7d8d24a79b9d5476266e718a96..2eb644797678d8478dc15cfe891d62cc23340265 100644 (file)
--- a/pdns/recursordist/syncres.cc
+++ b/pdns/recursordist/syncres.cc
@@ -1090,6 +1090,13 @@ bool SyncRes::isRecursiveForwardOrAuth(const DNSName& qname)
    return iter != t_sstorage.domainmap->end() && (iter->second.isAuth() || iter->second.shouldRecurse());
  }
  
+bool SyncRes::isRecursiveForward(const DNSName& qname)
+{
+  DNSName authname(qname);
+  const auto iter = getBestAuthZone(&authname);
+  return iter != t_sstorage.domainmap->end() && iter->second.shouldRecurse();
+}
+
  bool SyncRes::isForwardOrAuth(const DNSName& qname)
  {
    DNSName authname(qname);
diff --git a/pdns/recursordist/syncres.hh b/pdns/recursordist/syncres.hh

index 61ee00bde1a528d5d90e10102ffe51742cfe217d..eb3c61698df6da282f000da06d2adaf86fdd709b 100644 (file)
--- a/pdns/recursordist/syncres.hh
+++ b/pdns/recursordist/syncres.hh
@@ -296,6 +296,7 @@ public:
    {
      return t_sstorage.domainmap;
    }
+  static bool isRecursiveForward(const DNSName& qname);
  
    static void setECSScopeZeroAddress(const Netmask& scopeZeroMask)
    {
author	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Tue, 10 Jun 2025 07:02:47 +0000 (09:02 +0200)
committer	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Tue, 10 Jun 2025 08:43:40 +0000 (10:43 +0200)
pdns/recursordist/rec-zonetocache.cc		patch \| blob \| blame \| history
pdns/recursordist/syncres.cc		patch \| blob \| blame \| history
pdns/recursordist/syncres.hh		patch \| blob \| blame \| history