Merge pull request #7178 from rgacogne/rec-skip-cname-ns-zone

rec: Skip NS for the exact zone in CNAME answers

diff --cc pdns/recursordist/test-syncres_cc.cc
Simple merge

diff --cc pdns/syncres.cc
index 6d224cea0bfd1223ace1fc5cb6696199d096a26f,75d495aa1c8d3a0dc92bbf87db29043eda97f1d2..c463a5320d771018ff5d1b3cace1569d56798e98
--- 1/pdns/syncres.cc
--- 2/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@@ -2138,9 -2135,20 +2138,21 @@@ RCode::rcodes_ SyncRes::updateCacheFrom
          associated with the alias.
        */
        isAA = false;
 +      expectSignature = false;
      }
  
+     if (isCNAMEAnswer && i->first.place == DNSResourceRecord::AUTHORITY && i->first.type == QType::NS && auth == i->first.name) {
+       /* These NS can't be authoritative since we have a CNAME answer for which (see above) only the
+          record describing that alias is necessarily authoritative.
+          But if we allow the current auth, which might be serving the child zone, to raise the TTL
+          of non-authoritative NS in the cache, they might be able to keep a "ghost" zone alive forever,
+          even after the delegation is gone from the parent.
+          So let's just do nothing with them, we can fetch them directly if we need them.
+       */
+       LOG(d_prefix<<": skipping authority NS from '"<<auth<<"' nameservers in CNAME answer "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl);
+       continue;
+     }
+ 
      vState recordState = getValidationStatus(i->first.name, false);
      LOG(d_prefix<<": got initial zone status "<<vStates[recordState]<<" for record "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl);