From: Colin Vidal <colin@isc.org>
Date: Fri, 27 Feb 2026 16:07:31 +0000 (+0100)
Subject: Do not cache NS from referral in negative responses
X-Git-Tag: v9.21.21~4^2~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2f9a9752662260c7a67db89853011f9ab2d3af4;p=thirdparty%2Fbind9.git

Do not cache NS from referral in negative responses

Stop storing the NS referral into the main cache when processing a
negative response.  These records are already cached in the delegation
database and are not needed elsewhere.

Update dnssec tests that relied on parent-side NS RRsets being
returned in recursive query responses.
---

diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py
index ed848619b8e..ed920749cf9 100644
--- a/bin/tests/system/dnssec/tests_validation.py
+++ b/bin/tests/system/dnssec/tests_validation.py
@@ -990,14 +990,14 @@ def test_validation_recovery(ns2, ns4):
     msg = isctest.query.create("inconsistent", "NS", dnssec=False, cd=True)
     res = isctest.query.tcp(msg, "10.53.0.4")
     isctest.check.noadflag(res)
-    isctest.check.rr_count_eq(res.answer, 1)
-    isctest.check.rr_count_eq(res.additional, 1)
+    isctest.check.rr_count_eq(res.answer, 2)
+    isctest.check.rr_count_eq(res.additional, 0)
 
     msg = isctest.query.create("inconsistent", "NS", cd=True)
     res = isctest.query.tcp(msg, "10.53.0.4")
     isctest.check.noadflag(res)
-    isctest.check.rr_count_eq(res.answer, 1)
-    isctest.check.rr_count_eq(res.additional, 1)
+    isctest.check.rr_count_eq(res.answer, 3)
+    isctest.check.rr_count_eq(res.additional, 0)
 
     msg = isctest.query.create("inconsistent", "NS")
     res = isctest.query.tcp(msg, "10.53.0.4")
@@ -1058,7 +1058,7 @@ def test_validating_forwarder(ns4, ns9):
     msg = isctest.query.create("inconsistent", "NS", dnssec=False, cd=True)
     res = isctest.query.tcp(msg, "10.53.0.9")
     isctest.check.noerror(res)
-    isctest.check.rr_count_eq(res.answer, 1)
+    isctest.check.rr_count_eq(res.answer, 2)
     isctest.check.rr_count_eq(res.additional, 0)
     isctest.check.noadflag(res)
 
@@ -1066,7 +1066,7 @@ def test_validating_forwarder(ns4, ns9):
     res = isctest.query.tcp(msg, "10.53.0.9")
     isctest.check.rr_count_eq(res.additional, 0)
     isctest.check.noadflag(res)
-    isctest.check.rr_count_eq(res.answer, 1)
+    isctest.check.rr_count_eq(res.answer, 3)
     isctest.check.rr_count_eq(res.authority, 0)
     isctest.check.rr_count_eq(res.additional, 0)
 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 29bf22389e4..c9e38fc678c 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -9028,9 +9028,6 @@ rctx_authority_negative(respctx_t *rctx) {
 					rctx->ns_name = name;
 					rctx->ns_rdataset = rdataset;
 				}
-				name->attributes.cache = true;
-				rdataset->attributes.cache = true;
-				rdataset->trust = dns_trust_glue;
 				break;
 			case dns_rdatatype_soa:
 				/*