From 753ad2390bfbc90f6bc1b68f980ef4bcdc2cfddc Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Tue, 10 Jun 2025 09:02:47 +0200
Subject: [PATCH] rec: when using ZTC, do not store non-auth data if the name
 is subject to recursive forwarding

Fixes #15651

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>
---
 pdns/recursordist/rec-zonetocache.cc | 6 ++++--
 pdns/recursordist/syncres.cc         | 7 +++++++
 pdns/recursordist/syncres.hh         | 1 +
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/pdns/recursordist/rec-zonetocache.cc b/pdns/recursordist/rec-zonetocache.cc
index d4f71f14d1..1c5ccd31cd 100644
--- a/pdns/recursordist/rec-zonetocache.cc
+++ b/pdns/recursordist/rec-zonetocache.cc
@@ -418,8 +418,10 @@ void ZoneData::ZoneToCache(const RecZoneToCache::Config& config)
         sigsrr = iter->second;
       }
       bool auth = isRRSetAuth(qname, qtype);
-      // Same decision as updateCacheFromRecords() (we do not test for NSEC since we skip those completely)
-      if (auth || (qtype == QType::NS || qtype == QType::A || qtype == QType::AAAA || qtype == QType::DS)) {
+      // Same list as updateCacheFromRecords() (we do not test for NSEC since we skip those completely)
+      // Issue #15651
+      bool storeNonAuth = !SyncRes::isRecursiveForward(qname);
+      if (auth || (storeNonAuth && (qtype == QType::NS || qtype == QType::A || qtype == QType::AAAA || qtype == QType::DS))) {
         g_recCache->replace(d_now, qname, qtype, v, sigsrr, {},
                             auth, d_zone);
       }
diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc
index 6d29075199..2eb6447976 100644
--- a/pdns/recursordist/syncres.cc
+++ b/pdns/recursordist/syncres.cc
@@ -1090,6 +1090,13 @@ bool SyncRes::isRecursiveForwardOrAuth(const DNSName& qname)
   return iter != t_sstorage.domainmap->end() && (iter->second.isAuth() || iter->second.shouldRecurse());
 }
 
+bool SyncRes::isRecursiveForward(const DNSName& qname)
+{
+  DNSName authname(qname);
+  const auto iter = getBestAuthZone(&authname);
+  return iter != t_sstorage.domainmap->end() && iter->second.shouldRecurse();
+}
+
 bool SyncRes::isForwardOrAuth(const DNSName& qname)
 {
   DNSName authname(qname);
diff --git a/pdns/recursordist/syncres.hh b/pdns/recursordist/syncres.hh
index 61ee00bde1..eb3c61698d 100644
--- a/pdns/recursordist/syncres.hh
+++ b/pdns/recursordist/syncres.hh
@@ -296,6 +296,7 @@ public:
   {
     return t_sstorage.domainmap;
   }
+  static bool isRecursiveForward(const DNSName& qname);
 
   static void setECSScopeZeroAddress(const Netmask& scopeZeroMask)
   {
-- 
2.47.2