don't rewrite cached SOA records from negative answers

Currently there's only exception to avoid rewriting secure NS records.
Most of the negative answers provide SOA record, so it's undesirable
to keep rewriting it for every negative answer.

diff --git a/lib/cache/entry_list.c b/lib/cache/entry_list.c
index 6a5001c1b7010bb68746f8af971371108bd81abf..f75ffa711d501e4d4002a450af4a88d4c0205803 100644 (file)
--- a/lib/cache/entry_list.c
+++ b/lib/cache/entry_list.c
@@ -224,7 +224,7 @@ int entry_h_splice(
        const struct entry_h *eh_orig = NULL;
        entry_list_t el;
        int ret = -1;
-       if (!kr_rank_test(rank, KR_RANK_SECURE) || ktype == KNOT_RRTYPE_NS) {
+       if (!kr_rank_test(rank, KR_RANK_SECURE) || (ktype == KNOT_RRTYPE_NS || ktype == KNOT_RRTYPE_SOA)) {
                knot_db_val_t val;
                ret = cache_op(cache, read, &key, &val, 1);
                if (i_type) {
@@ -241,7 +241,7 @@ int entry_h_splice(
                memset(el, 0, sizeof(el));
        }
 
-       if (!kr_rank_test(rank, KR_RANK_SECURE) && eh_orig) {
+       if (eh_orig) {
                /* If equal rank was accepted, spoofing a *single* answer would be
                 * enough to e.g. override NS record in AUTHORITY section.
                 * This way they would have to hit the first answer
@@ -254,8 +254,8 @@ int entry_h_splice(
                        WITH_VERBOSE(qry) {
                                auto_free char *type_str = kr_rrtype_text(type),
                                        *owner_str = kr_dname_text(owner);
-                               VERBOSE_MSG(qry, "=> not overwriting %s %s\n",
-                                               type_str, owner_str);
+                               VERBOSE_MSG(qry, "=> not overwriting %s %s, rank 0%.2o, remaining TTL %d\n",
+                                               type_str, owner_str, eh_orig->rank, old_ttl);
                        }
                        return kr_error(EEXIST);
                }