From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 23 Feb 2026 11:45:14 +0000 (+0100)
Subject: - Fix to have cachedb not return expired bogus data as non-bogus.
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aa4e2a9e693a1b87c72d850cd88f1b74574b7f46;p=thirdparty%2Funbound.git

- Fix to have cachedb not return expired bogus data as non-bogus.
---

diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c
index b45c0a3ea..226669fcd 100644
--- a/cachedb/cachedb.c
+++ b/cachedb/cachedb.c
@@ -754,8 +754,10 @@ cachedb_intcache_store(struct module_qstate* qstate, int msg_expired,
 			"(original ttl: %d)", (int)original_ttl);
 		/* The expired entry does not get checked by the validator
 		 * and we need a validation value for it. */
+		/* By setting this to unchecked, bogus data is not returned
+		 * as non-bogus. */
 		if(qstate->env->cfg->cachedb_check_when_serve_expired)
-			qstate->return_msg->rep->security = sec_status_insecure;
+			qstate->return_msg->rep->security = sec_status_unchecked;
 	}
 	(void)dns_cache_store(qstate->env, &qstate->qinfo,
 		qstate->return_msg->rep, 0, qstate->prefetch_leeway, 0,
diff --git a/doc/Changelog b/doc/Changelog
index 6ac6a1038..84e1f05cf 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+23 February 2026: Wouter
+	- Fix to have cachedb not return expired bogus data as non-bogus.
+
 17 February 2026: Wouter
 	- Fix to remove unused conditional from cookie timestamp at
 	  worker env.