From: Grigorii Demidov <grigorii.demidov@nic.cz>
Date: Thu, 22 Jun 2017 09:21:01 +0000 (+0200)
Subject: layer/pktcache: don't cache CNAME'ed negative answer when forwarding
X-Git-Tag: v1.3.1^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d6e22f476dc43493f74944be79179a1f49bc4b9f;p=thirdparty%2Fknot-resolver.git

layer/pktcache: don't cache CNAME'ed negative answer when forwarding

it can contain records which have not been validated by validator
---

diff --git a/lib/layer/pktcache.c b/lib/layer/pktcache.c
index 0d1179dcf..777e8e1e2 100644
--- a/lib/layer/pktcache.c
+++ b/lib/layer/pktcache.c
@@ -229,8 +229,16 @@ static int pktcache_stash(kr_layer_t *ctx, knot_pkt_t *pkt)
 	/* Cache only NODATA/NXDOMAIN or metatype/RRSIG or wildcard expanded answers. */
 	const uint16_t qtype = knot_pkt_qtype(pkt);
 	const bool is_eligible = (knot_rrtype_is_metatype(qtype) || qtype == KNOT_RRTYPE_RRSIG);
-	const bool is_negative = kr_response_classify(pkt) & (PKT_NODATA|PKT_NXDOMAIN);
-	if (!(is_eligible || is_negative || (qry->flags & QUERY_DNSSEC_WEXPAND))) {
+	bool is_negative = kr_response_classify(pkt) & (PKT_NODATA|PKT_NXDOMAIN);
+	bool wcard_expansion = (qry->flags & QUERY_DNSSEC_WEXPAND);
+	if (is_negative && ((qry->flags & (QUERY_FORWARD | QUERY_CNAME)) ==
+	    (QUERY_FORWARD | QUERY_CNAME))) {
+		/* Don't cache CNAME'ed NXDOMAIN answer in forwarding mode
+		   since it can contain records
+		   which have not been validated by validator */
+		return ctx->state;
+	}
+	if (!(is_eligible || is_negative || wcard_expansion)) {
 		return ctx->state;
 	}
 	uint32_t ttl = packet_ttl(pkt, is_negative);