RPZ 'servfail-until-ready': skip updating SERVFAIL cache

In order to not pollute the SERVFAIL cache with the configured
SERVFAIL answers while RPZ is loading, set the NS_CLIENTATTR_NOSETFC
attribute for the client.

diff --git a/lib/ns/query.c b/lib/ns/query.c
index f3b68d2498df43719c2356f9e34992a4aca6b214..dd110568a5cbb973a3a5874f6452960fdcb6103e 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -4004,6 +4004,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
        if (first_time && popt.servfail_until_ready &&
            zones_processed < zones_registered)
        {
+               /* Do not pollute SERVFAIL cache  */
+               client->inner.attributes |= NS_CLIENTATTR_NOSETFC;
+
                rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, NULL,
                             DNS_RPZ_TYPE_QNAME, "RPZ not ready yet", result);
                st->m.policy = DNS_RPZ_POLICY_ERROR;