From: Ondřej Surý <ondrej@isc.org>
Date: Wed, 18 Feb 2026 05:39:33 +0000 (+0100)
Subject: Clear serve-stale flags when following the CNAME chains
X-Git-Tag: v9.21.19~11^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d46277b398abc4f226002515f457da77e00878f9;p=thirdparty%2Fbind9.git

Clear serve-stale flags when following the CNAME chains

A stale answer or SERVFAIL could have been served in case of multiple
upstream failures when following the CNAME chains. This has been fixed.
---

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 59165a2537e..b457d61173d 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5382,6 +5382,8 @@ qctx_setrad(query_ctx_t *qctx) {
 isc_result_t
 ns__query_start(query_ctx_t *qctx) {
 	isc_result_t result = ISC_R_UNSET;
+	ns_client_t *client = qctx->client;
+
 	CCTRACE(ISC_LOG_DEBUG(3), "ns__query_start");
 	qctx->want_restart = false;
 	qctx->authoritative = false;
@@ -5390,6 +5392,13 @@ ns__query_start(query_ctx_t *qctx) {
 	qctx->need_wildcardproof = false;
 	qctx->rpz = false;
 
+	/*
+	 * Clean existing stale options in case ns__query_start was restarted
+	 * due to the CNAME/DNAME chains.
+	 */
+	client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT |
+				     DNS_DBFIND_STALEOK);
+
 	CALL_HOOK(NS_QUERY_START_BEGIN, qctx);
 
 	/*