From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Fri, 28 Oct 2022 10:06:27 +0000 (+0200)
Subject: QM can get confused by expiring infra records, so be a bit more lenient
X-Git-Tag: dnsdist-1.8.0-rc1~250^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ce6006d7ddc925a13b868488b6e987bca41cc90;p=thirdparty%2Fpdns.git

QM can get confused by expiring infra records, so be a bit more lenient
with replacing auth records by unauth, as unauth (typically infra
records) might come in while we are resolving.

Should fix #12078
---

diff --git a/pdns/recursor_cache.cc b/pdns/recursor_cache.cc
index 9caf9a187f..c2ef9ce34b 100644
--- a/pdns/recursor_cache.cc
+++ b/pdns/recursor_cache.cc
@@ -490,7 +490,10 @@ time_t MemRecursorCache::get(time_t now, const DNSName& qname, const QType qt, F
 bool MemRecursorCache::CacheEntry::shouldReplace(time_t now, bool auth, vState state, bool refresh)
 {
   if (!auth && d_auth) { // unauth data came in, we have some auth data, but is it fresh?
-    if (d_ttd > now) { // we still have valid data, ignore unauth data
+    // an auth entry that is going to expire while we are resolving can hurt, as it prevents infra
+    // records (which might be unauth) to be updated. So apply a safety margin.
+    const time_t margin = 5;
+    if (d_ttd - margin > now) { // we still have valid data, ignore unauth data
       return false;
     }
     d_auth = false; // new data won't be auth