From fbdc06ebc451aa27d45358e8c17cf458cb364132 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 21 May 2024 17:06:18 +0200 Subject: [PATCH] - Fix for #1064: Fix that cachedb expired messages are considered insecure, and thus can be served to clients when dnssec is enabled. --- cachedb/cachedb.c | 4 ++++ doc/Changelog | 2 ++ 2 files changed, 6 insertions(+) diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c index 0f3604576..0b355e0d3 100644 --- a/cachedb/cachedb.c +++ b/cachedb/cachedb.c @@ -745,6 +745,10 @@ cachedb_intcache_store(struct module_qstate* qstate, int msg_expired) * going to be now-3 seconds. Making it expired * in the cache. */ set_msg_ttl(qstate->return_msg, (time_t)-3); + /* The expired entry does not get checked by the validator + * and we need a validation value for it. */ + if(qstate->env->cfg->cachedb_check_when_serve_expired) + qstate->return_msg->rep->security = sec_status_insecure; } (void)dns_cache_store(qstate->env, &qstate->qinfo, qstate->return_msg->rep, 0, qstate->prefetch_leeway, 0, diff --git a/doc/Changelog b/doc/Changelog index b66edae81..fb802d272 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -4,6 +4,8 @@ - Fix to print a parse error when config is read with no name for a forward-zone, stub-zone or view. - Fix for parse end of forward-zone, stub-zone and view. + - Fix for #1064: Fix that cachedb expired messages are considered + insecure, and thus can be served to clients when dnssec is enabled. 17 May 2024: Yorgos - Merge #1069: Fix unbound-control stdin commands for multi-process -- 2.47.2