Also consider recursive forward in the "forwarded DS should not end up in negCache...

With @rgacogne and @phonedph1
Fixes #12189

(cherry picked from commit af746aaf59a2e977bafabd5814635f59b01e5835)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 4caac3b62d783d1baacd3c7a6e63c8ade74c7bfd..7e7834ae0d8c0c57dba5becf24f80532ad7ec070 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -424,7 +424,7 @@ bool SyncRes::isRecursiveForwardOrAuth(const DNSName &qname) const {
 bool SyncRes::isForwardOrAuth(const DNSName &qname) const {
   DNSName authname(qname);
   domainmap_t::const_iterator iter = getBestAuthZone(&authname);
-  return iter != t_sstorage.domainmap->end() && (iter->second.isAuth() || !iter->second.shouldRecurse());
+  return iter != t_sstorage.domainmap->end();
 }
 
 uint64_t SyncRes::doEDNSDump(int fd)
@@ -3607,16 +3607,16 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co
         continue;
       }
     }
-    const bool negCacheIndiction = rec.d_place == DNSResourceRecord::AUTHORITY && rec.d_type == QType::SOA &&
+    const bool negCacheIndication = rec.d_place == DNSResourceRecord::AUTHORITY && rec.d_type == QType::SOA &&
       lwr.d_rcode == RCode::NXDomain && qname.isPartOf(rec.d_name) && rec.d_name.isPartOf(auth);
 
     bool putInNegCache = true;
-    if (negCacheIndiction && qtype == QType::DS && isForwardOrAuth(qname)) {
+    if (negCacheIndication && qtype == QType::DS && isForwardOrAuth(qname)) {
       // #10189, a NXDOMAIN to a DS query for a forwarded or auth domain should not NXDOMAIN the whole domain
       putInNegCache = false;
     }
 
-    if (negCacheIndiction) {
+    if (negCacheIndication) {
       LOG(prefix<<qname<<": got negative caching indication for name '"<<qname<<"' (accept="<<rec.d_name.isPartOf(auth)<<"), newtarget='"<<newtarget<<"'"<<endl);
 
       rec.d_ttl = min(rec.d_ttl, s_maxnegttl);