From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 5 Jun 2020 13:14:35 +0000 (+0200)
Subject: rec: Limit the TTL of RRSIG records as well
X-Git-Tag: dnsdist-1.5.0-rc3~19^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fe091a7206f833e6927b82b813b5af0882d8c5d9;p=thirdparty%2Fpdns.git

rec: Limit the TTL of RRSIG records as well
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 3fde0ef257..1244b9966b 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2546,11 +2546,13 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
   const unsigned int labelCount = qname.countLabels();
   bool isCNAMEAnswer = false;
   bool isDNAMEAnswer = false;
-  for(const auto& rec : lwr.d_records) {
-    if (rec.d_class != QClass::IN) {
+  for (auto& rec : lwr.d_records) {
+    if (rec.d_type == QType::OPT || rec.d_class != QClass::IN) {
       continue;
     }
 
+    rec.d_ttl = min(s_maxcachettl, rec.d_ttl);
+
     if(!isCNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname && !isDNAMEAnswer) {
       isCNAMEAnswer = true;
     }
@@ -2573,7 +2575,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
         }
       }
     }
-    if(rec.d_type == QType::RRSIG) {
+    if (rec.d_type == QType::RRSIG) {
       auto rrsig = getRR<RRSIGRecordContent>(rec);
       if (rrsig) {
         /* As illustrated in rfc4035's Appendix B.6, the RRSIG label