From: Miod Vallat <miod.vallat@powerdns.com>
Date: Thu, 12 Jun 2025 13:00:55 +0000 (+0200)
Subject: Clear DNSSEC signature cache outside of its write lock.
X-Git-Tag: dnsdist-2.0.0-beta1~26^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64c99b04a6b430f3795aef6333ab6438141b179c;p=thirdparty%2Fpdns.git

Clear DNSSEC signature cache outside of its write lock.
---

diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index 3f01ed12a0..58b9721511 100644
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -94,13 +94,16 @@ static void fillOutRRSIG(DNSSECPrivateKey& dpk, const DNSName& signQName, RRSIGR
     int weekno = (time(nullptr) - dns_random(3600)) / (86400*7);  // we just spent milliseconds doing a signature, microsecond more won't kill us
     const static int maxcachesize=::arg().asNum("max-signature-cache-entries", INT_MAX);
 
-    auto signatures = g_signatures.write_lock();
-    if (g_cacheweekno < weekno || signatures->size() >= (uint) maxcachesize) {  // blunt but effective (C) Habbie, mind04
-      g_log<<Logger::Warning<<"Cleared signature cache."<<endl;
-      signatures->clear();
-      g_cacheweekno = weekno;
+    signaturecache_t oldsigs;
+    {
+      auto signatures = g_signatures.write_lock();
+      if (g_cacheweekno < weekno || signatures->size() >= (uint) maxcachesize) {  // blunt but effective (C) Habbie, mind04
+        g_log<<Logger::Warning<<"Cleared signature cache."<<endl;
+        std::swap(oldsigs, *signatures);
+        g_cacheweekno = weekno;
+      }
+      (*signatures)[lookup] = rrc.d_signature;
     }
-    (*signatures)[lookup] = rrc.d_signature;
   }
 }