From: Otto Moerbeek Date: Mon, 9 Jan 2023 13:49:01 +0000 (+0100) Subject: Better comments on what's going on X-Git-Tag: dnsdist-1.8.0-rc1~93^2~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5108f7a5e27f9cac8bc1400fbd48cd1d768b97e5;p=thirdparty%2Fpdns.git Better comments on what's going on --- diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc index 2429bb3c2c..4f951a3d5d 100644 --- a/pdns/recursordist/syncres.cc +++ b/pdns/recursordist/syncres.cc @@ -4637,7 +4637,9 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr rememberParentSetIfNeeded(i->first.name, i->second.records, depth); } g_recCache->replace(d_now.tv_sec, i->first.name, i->first.type, i->second.records, i->second.signatures, authorityRecs, i->first.type == QType::DS ? true : isAA, auth, i->first.place == DNSResourceRecord::ANSWER ? ednsmask : boost::none, d_routingTag, recordState, remoteIP, d_refresh); - // delete negcache entry + + // Delete potential negcache entry. When a record recovers with serve-stale the negcache entry can cause the wrong entry to + // served, as negcache entries are checked before record cache entries g_negCache->wipe(i->first.name, i->first.type); if (g_aggressiveNSECCache && needWildcardProof && recordState == vState::Secure && i->first.place == DNSResourceRecord::ANSWER && i->first.name == qname && !i->second.signatures.empty() && !d_routingTag && !ednsmask) { @@ -4805,6 +4807,8 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co */ if (newtarget.empty() && putInNegCache) { g_negCache->add(ne); + // doCNAMECacheCheck() checks record cache and does not look into negcache. That means that and old record might be found if + // serve-stale is active. Avoid that by explicitly zapping that CNAME record. if (qtype == QType::CNAME) { g_recCache->doWipeCache(qname, false, qtype); }