From: Ondřej Surý <ondrej@isc.org>
Date: Sat, 8 Nov 2025 11:06:20 +0000 (+0100)
Subject: Evict the RRSIG when adding negative header
X-Git-Tag: v9.21.16~17^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f4adabb2dd33510a91a30a129d8b5afe601348c7;p=thirdparty%2Fbind9.git

Evict the RRSIG when adding negative header

Formerly, we've evicted the RRSIG(type) only when we were changing
existing header from positive to negative.  Move the eviction routine
for the RRSIG to a common path, so the RRSIG also gets evicted when we
are adding new negative header for a specific type.
---

diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c
index 21979591743..fe69818f547 100644
--- a/lib/dns/qpcache.c
+++ b/lib/dns/qpcache.c
@@ -2912,15 +2912,7 @@ add(qpcache_t *qpdb, qpcnode_t *qpnode, dns_slabheader_t *newheader,
 
 		mark_ancient(oldheader);
 
-		if (EXISTS(newheader) && NEGATIVE(newheader) &&
-		    !dns_rdatatype_issig(rdtype))
-		{
-			if (oldtop->related != NULL) {
-				dns_slabheader_t *oldsigheader =
-					first_header(oldtop->related);
-				mark_ancient(oldsigheader);
-			}
-		}
+		INSIST(oldtop->related == related);
 	} else if (!EXISTS(newheader)) {
 		/*
 		 * The type already doesn't exist; no point trying
@@ -2975,6 +2967,18 @@ add(qpcache_t *qpdb, qpcnode_t *qpnode, dns_slabheader_t *newheader,
 		}
 	}
 
+	/*
+	 * We've added a proof that a rdtype doesn't exist.
+	 *
+	 * Mark the related rrsig in the cache as ancient.
+	 */
+	if (EXISTS(newheader) && NEGATIVE(newheader) &&
+	    !dns_rdatatype_issig(rdtype) && related != NULL)
+	{
+		dns_slabheader_t *oldsigheader = first_header(oldtop->related);
+		mark_ancient(oldsigheader);
+	}
+
 	bindrdataset(qpdb, qpnode, newheader, now, nlocktype, tlocktype,
 		     addedrdataset DNS__DB_FLARG_PASS);