From: Marek Vavruša <mvavrusa@cloudflare.com>
Date: Sat, 12 May 2018 01:39:12 +0000 (-0700)
Subject: don't rewrite cached SOA records from negative answers
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f39624e49eb45a293913999788aa7fe510cf496f;p=thirdparty%2Fknot-resolver.git

don't rewrite cached SOA records from negative answers

Currently there's only exception to avoid rewriting secure NS records.
Most of the negative answers provide SOA record, so it's undesirable
to keep rewriting it for every negative answer.
---

diff --git a/lib/cache/entry_list.c b/lib/cache/entry_list.c
index 6a5001c1b..f75ffa711 100644
--- a/lib/cache/entry_list.c
+++ b/lib/cache/entry_list.c
@@ -224,7 +224,7 @@ int entry_h_splice(
 	const struct entry_h *eh_orig = NULL;
 	entry_list_t el;
 	int ret = -1;
-	if (!kr_rank_test(rank, KR_RANK_SECURE) || ktype == KNOT_RRTYPE_NS) {
+	if (!kr_rank_test(rank, KR_RANK_SECURE) || (ktype == KNOT_RRTYPE_NS || ktype == KNOT_RRTYPE_SOA)) {
 		knot_db_val_t val;
 		ret = cache_op(cache, read, &key, &val, 1);
 		if (i_type) {
@@ -241,7 +241,7 @@ int entry_h_splice(
 		memset(el, 0, sizeof(el));
 	}
 
-	if (!kr_rank_test(rank, KR_RANK_SECURE) && eh_orig) {
+	if (eh_orig) {
 		/* If equal rank was accepted, spoofing a *single* answer would be
 		 * enough to e.g. override NS record in AUTHORITY section.
 		 * This way they would have to hit the first answer
@@ -254,8 +254,8 @@ int entry_h_splice(
 			WITH_VERBOSE(qry) {
 				auto_free char *type_str = kr_rrtype_text(type),
 					*owner_str = kr_dname_text(owner);
-				VERBOSE_MSG(qry, "=> not overwriting %s %s\n",
-						type_str, owner_str);
+				VERBOSE_MSG(qry, "=> not overwriting %s %s, rank 0%.2o, remaining TTL %d\n",
+						type_str, owner_str, eh_orig->rank, old_ttl);
 			}
 			return kr_error(EEXIST);
 		}