From: Otto Moerbeek Date: Mon, 26 Sep 2022 10:16:19 +0000 (+0200) Subject: rec: If new data is auth and old dat is not, upgrade even if cache locking is active X-Git-Tag: rec-4.9.0-alpha0~21^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=207b5f2c2dc90fc06a84415d644384004e79ab77;p=thirdparty%2Fpdns.git rec: If new data is auth and old dat is not, upgrade even if cache locking is active Followup to #11958 --- diff --git a/pdns/recursor_cache.cc b/pdns/recursor_cache.cc index 8244976f9c..9caf9a187f 100644 --- a/pdns/recursor_cache.cc +++ b/pdns/recursor_cache.cc @@ -502,6 +502,10 @@ bool MemRecursorCache::CacheEntry::shouldReplace(time_t now, bool auth, vState s /* the new entry is Bogus, the existing one is not and is still valid, let's keep the existing one */ return false; } + // Always allow upgrade unauth data to auth + if (!d_auth) { + return true; + } } if (SyncRes::s_locked_ttlperc > 0) { diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 0505a17804..18d9f6207f 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -1707,6 +1707,7 @@ A value of 100 means only expired record sets will be replaced. There are a few cases where records will be replaced anyway: - Record sets that are expired will always be replaced. +- Authoritative record sets will replace unauthoritative record sets unless DNSSEC validation of the new record set failed. - If the new record set belongs to a DNSSEC-secure zone and successfully passed validation it will replace an existing entry. - Record sets produced by :ref:`setting-refresh-on-ttl-perc` tasks will also replace existing record sets.