From c44bdaf3d820bd6a766e12ca33a1c4e09a89d6c9 Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Tue, 5 Sep 2023 10:40:27 +0200
Subject: [PATCH] The proper "expired" test is ttd <= now

(cherry picked from commit 17806638ce9ae1643d881faa7328a85f98eeb265)
---
 pdns/recursordist/aggressive_nsec.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/recursordist/aggressive_nsec.cc b/pdns/recursordist/aggressive_nsec.cc
index 22fe68aad8..c22d81ea61 100644
--- a/pdns/recursordist/aggressive_nsec.cc
+++ b/pdns/recursordist/aggressive_nsec.cc
@@ -140,7 +140,7 @@ void AggressiveNSECCache::prune(time_t now)
     const auto toLookAtForThisZone = (zoneEntry->d_entries.size() + 9) / 10;
     uint64_t lookedAt = 0;
     for (auto it = sidx.begin(); it != sidx.end() && lookedAt < toLookAtForThisZone; ++lookedAt) {
-      if (it->d_ttd < now) {
+      if (it->d_ttd <= now) {
         it = sidx.erase(it);
         ++erased;
       }
-- 
2.47.2