From 5b04aae06e7a21d9b458413560dc2ca36f12a32a Mon Sep 17 00:00:00 2001 From: =?utf8?q?Marek=20Vavru=C5=A1a?= Date: Fri, 11 May 2018 18:39:12 -0700 Subject: [PATCH] don't rewrite cached SOA records from negative answers Currently there's only exception to avoid rewriting secure NS records. Most of the negative answers provide SOA record, so it's undesirable to keep rewriting it for every negative answer. --- lib/cache/entry_list.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/cache/entry_list.c b/lib/cache/entry_list.c index 088dac4c2..7f1069159 100644 --- a/lib/cache/entry_list.c +++ b/lib/cache/entry_list.c @@ -133,7 +133,7 @@ int entry_h_splice( /* Find the whole entry-set and the particular entry within. */ knot_db_val_t val_orig_all = VAL_EMPTY, val_orig_entry = VAL_EMPTY; const struct entry_h *eh_orig = NULL; - if (!kr_rank_test(rank, KR_RANK_SECURE) || ktype == KNOT_RRTYPE_NS) { + if (!kr_rank_test(rank, KR_RANK_SECURE) || (ktype == KNOT_RRTYPE_NS || ktype == KNOT_RRTYPE_SOA)) { int ret = cache_op(cache, read, &key, &val_orig_all, 1); if (ret) val_orig_all = VAL_EMPTY; val_orig_entry = val_orig_all; @@ -157,7 +157,7 @@ int entry_h_splice( <= val_orig_all.data + val_orig_all.len); } - if (!kr_rank_test(rank, KR_RANK_SECURE) && eh_orig) { + if (eh_orig) { /* If equal rank was accepted, spoofing a *single* answer would be * enough to e.g. override NS record in AUTHORITY section. * This way they would have to hit the first answer @@ -170,8 +170,8 @@ int entry_h_splice( WITH_VERBOSE(qry) { auto_free char *type_str = kr_rrtype_text(type), *owner_str = kr_dname_text(owner); - VERBOSE_MSG(qry, "=> not overwriting %s %s\n", - type_str, owner_str); + VERBOSE_MSG(qry, "=> not overwriting %s %s, rank 0%.2o, remaining TTL %d\n", + type_str, owner_str, eh_orig->rank, old_ttl); } return kr_error(EEXIST); } -- 2.47.2