- Fix for #1064: Fix that cachedb expired messages are considered

  insecure, and thus can be served to clients when dnssec is enabled.

diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c
index 0f3604576190e2f3e517def62116fa05689c216f..0b355e0d3ccf3a88e580df50413cc182f1b8ef3b 100644 (file)
--- a/cachedb/cachedb.c
+++ b/cachedb/cachedb.c
@@ -745,6 +745,10 @@ cachedb_intcache_store(struct module_qstate* qstate, int msg_expired)
                 * going to be now-3 seconds. Making it expired
                 * in the cache. */
                set_msg_ttl(qstate->return_msg, (time_t)-3);
+               /* The expired entry does not get checked by the validator
+                * and we need a validation value for it. */
+               if(qstate->env->cfg->cachedb_check_when_serve_expired)
+                       qstate->return_msg->rep->security = sec_status_insecure;
        }
        (void)dns_cache_store(qstate->env, &qstate->qinfo,
                qstate->return_msg->rep, 0, qstate->prefetch_leeway, 0,

diff --git a/doc/Changelog b/doc/Changelog
index b66edae81fb49cee58cc335ee3b51ebf26dbcd32..fb802d272aabfc944fcf36113ff58e1d8bc1f9f8 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -4,6 +4,8 @@
        - Fix to print a parse error when config is read with no name for
          a forward-zone, stub-zone or view.
        - Fix for parse end of forward-zone, stub-zone and view.
+       - Fix for #1064: Fix that cachedb expired messages are considered
+         insecure, and thus can be served to clients when dnssec is enabled.
 
 17 May 2024: Yorgos
        - Merge #1069: Fix unbound-control stdin commands for multi-process