From: Aram Sargsyan <aram@isc.org>
Date: Wed, 27 Aug 2025 14:33:01 +0000 (+0000)
Subject: RPZ 'servfail-until-ready': skip updating SERVFAIL cache
X-Git-Tag: v9.21.12~3^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d9b5f6c5025b758c104d50853de2fd5545d38393;p=thirdparty%2Fbind9.git

RPZ 'servfail-until-ready': skip updating SERVFAIL cache

In order to not pollute the SERVFAIL cache with the configured
SERVFAIL answers while RPZ is loading, set the NS_CLIENTATTR_NOSETFC
attribute for the client.
---

diff --git a/lib/ns/query.c b/lib/ns/query.c
index f3b68d2498d..dd110568a5c 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -4004,6 +4004,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 	if (first_time && popt.servfail_until_ready &&
 	    zones_processed < zones_registered)
 	{
+		/* Do not pollute SERVFAIL cache  */
+		client->inner.attributes |= NS_CLIENTATTR_NOSETFC;
+
 		rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, NULL,
 			     DNS_RPZ_TYPE_QNAME, "RPZ not ready yet", result);
 		st->m.policy = DNS_RPZ_POLICY_ERROR;