[master] ignore cache when sending 5011 refresh queries

4771.	[bug]		When sending RFC 5011 refresh queries, disregard
			cached DNSKEY rrsets. [RT #46251]

diff --git a/CHANGES b/CHANGES
index 5d3d40ff273230d9bc2467bf1841af24ab6273c8..0a334814cd4d2eb580bfcbb6aa915123403070da 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4771.  [bug]           When sending RFC 5011 refresh queries, disregard
+                       cached DNSKEY rrsets. [RT #46251]
+
 4770.  [bug]           Cache additional data from priming queries as glue.
                        Previously they were ignored as unsigned
                        non-answer data from a secure zone, and never

diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index 957a7183a9e9db5180052709144170a4b057052d..a5735318e44de42a552c9a10932513861ad7eb75 100644 (file)
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -97,6 +97,7 @@ typedef enum {
 #define DNS_FETCHOPT_PREFETCH          0x100        /*%< Do prefetch */
 #define DNS_FETCHOPT_NOCDFLAG          0x200        /*%< Don't set CD flag. */
 #define DNS_FETCHOPT_NONTA             0x400        /*%< Ignore NTA table. */
+#define DNS_FETCHOPT_NOCACHED          0x800        /*%< Force cache update. */
 
 /* Reserved in use by adb.c            0x00400000 */
 #define        DNS_FETCHOPT_EDNSVERSIONSET     0x00800000

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 66d01535610d169d198aea1efab9a56be6fa78b7..a153817974b3b958f3a6497e14707184cce37b6a 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -5863,6 +5863,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
                                {
                                        options = DNS_DBADD_PREFETCH;
                                }
+                               if ((fctx->options &
+                                    DNS_FETCHOPT_NOCACHED) != 0)
+                               {
+                                       options |= DNS_DBADD_FORCE;
+                               }
                                addedrdataset = ardataset;
                                result = dns_db_addrdataset(fctx->cache, node,
                                                            NULL, now, rdataset,

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index d0da729750e16eba4d95d6f6c07f1a13bcbd33a5..4966de4cc3599f88fd12464720d650854ce04317 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9754,11 +9754,21 @@ zone_refreshkeys(dns_zone_t *zone) {
                                     namebuf);
                }
 
+               /*
+                * Use of DNS_FETCHOPT_NOCACHED is essential here.  If it is
+                * not set and the cache still holds a non-expired, validated
+                * version of the RRset being queried for by the time the
+                * response is received, the cached RRset will be passed to
+                * keyfetch_done() instead of the one received in the response
+                * as the latter will have a lower trust level due to not being
+                * validated until keyfetch_done() is called.
+                */
                result = dns_resolver_createfetch(zone->view->resolver,
                                                  kname, dns_rdatatype_dnskey,
                                                  NULL, NULL, NULL,
                                                  DNS_FETCHOPT_NOVALIDATE|
-                                                 DNS_FETCHOPT_UNSHARED,
+                                                 DNS_FETCHOPT_UNSHARED|
+                                                 DNS_FETCHOPT_NOCACHED,
                                                  zone->task,
                                                  keyfetch_done, kfetch,
                                                  &kfetch->dnskeyset,