From d5cf2698ef091eee15c0f2fc0f5e19d06fd4a47b Mon Sep 17 00:00:00 2001
From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Date: Wed, 6 Nov 2024 15:57:53 +0100
Subject: [PATCH] - Explicit RRSIG queries are not expected to be validated.

---
 services/cache/dns.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/services/cache/dns.c b/services/cache/dns.c
index d9536c0e7..5a6036f86 100644
--- a/services/cache/dns.c
+++ b/services/cache/dns.c
@@ -1081,7 +1081,15 @@ dns_cache_store(struct module_env* env, struct query_info* msgqinf,
 				&& cached->security != sec_status_bogus
 				&& (env->need_to_validate &&
 				msgrep->security == sec_status_unchecked)
-				&& !is_valrec) {
+				/* Exceptions to that rule are:
+				 * o recursions that don't need validation but
+				 *   need to update the cache for coherence
+				 *   (delegation information while iterating,
+				 *   DNSKEY and DS lookups from validator)
+				 * o explicit RRSIG queries that are not
+				 *   validated. */
+				&& !is_valrec
+				&& msgqinf->qtype != LDNS_RR_TYPE_RRSIG) {
 				verbose(VERB_ALGO, "a validated expired entry "
 					"could be overwritten, skip caching "
 					"the new message at this stage");
-- 
2.47.2