From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Tue, 10 Jun 2025 07:02:47 +0000 (+0200)
Subject: rec: when using ZTC, do not store non-auth data if the name is subject to recursive... 
X-Git-Tag: rec-5.2.5~1^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F15907%2Fhead;p=thirdparty%2Fpdns.git

rec: when using ZTC, do not store non-auth data if the name is subject to recursive forwarding

Fixes #15651

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>
(cherry picked from commit 753ad2390bfbc90f6bc1b68f980ef4bcdc2cfddc)
---

diff --git a/pdns/recursordist/rec-zonetocache.cc b/pdns/recursordist/rec-zonetocache.cc
index f7fb5dc1c2..e1955a3599 100644
--- a/pdns/recursordist/rec-zonetocache.cc
+++ b/pdns/recursordist/rec-zonetocache.cc
@@ -418,10 +418,12 @@ void ZoneData::ZoneToCache(const RecZoneToCache::Config& config)
         sigsrr = iter->second;
       }
       bool auth = isRRSetAuth(qname, qtype);
-      // Same decision as updateCacheFromRecords() (we do not test for NSEC since we skip those completely)
-      if (auth || (qtype == QType::NS || qtype == QType::A || qtype == QType::AAAA || qtype == QType::DS)) {
-        g_recCache->replace(d_now, qname, qtype, v, sigsrr,
-                            std::vector<std::shared_ptr<DNSRecord>>(), auth, d_zone);
+      // Same list as updateCacheFromRecords() (we do not test for NSEC since we skip those completely)
+      // Issue #15651
+      bool storeNonAuth = !SyncRes::isRecursiveForward(qname);
+      if (auth || (storeNonAuth && (qtype == QType::NS || qtype == QType::A || qtype == QType::AAAA || qtype == QType::DS))) {
+        g_recCache->replace(d_now, qname, qtype, v, sigsrr, {},
+                            auth, d_zone);
       }
       break;
     }
diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc
index 491e36b60b..8d7823faed 100644
--- a/pdns/recursordist/syncres.cc
+++ b/pdns/recursordist/syncres.cc
@@ -1089,6 +1089,13 @@ bool SyncRes::isRecursiveForwardOrAuth(const DNSName& qname)
   return iter != t_sstorage.domainmap->end() && (iter->second.isAuth() || iter->second.shouldRecurse());
 }
 
+bool SyncRes::isRecursiveForward(const DNSName& qname)
+{
+  DNSName authname(qname);
+  const auto iter = getBestAuthZone(&authname);
+  return iter != t_sstorage.domainmap->end() && iter->second.shouldRecurse();
+}
+
 bool SyncRes::isForwardOrAuth(const DNSName& qname)
 {
   DNSName authname(qname);
diff --git a/pdns/recursordist/syncres.hh b/pdns/recursordist/syncres.hh
index 0974743acb..b3f5445b15 100644
--- a/pdns/recursordist/syncres.hh
+++ b/pdns/recursordist/syncres.hh
@@ -296,6 +296,7 @@ public:
   {
     return t_sstorage.domainmap;
   }
+  static bool isRecursiveForward(const DNSName& qname);
 
   static void setECSScopeZeroAddress(const Netmask& scopeZeroMask)
   {