From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 19 Oct 2017 09:57:32 +0000 (+0200)
Subject: rec: Don't directly store NSEC3 records in the positive cache
X-Git-Tag: rec-4.1.0-rc2~25^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=005b4b9810cb30fb4459891448c1c4a4ddf5965f;p=pdns

rec: Don't directly store NSEC3 records in the positive cache
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index f5cbe0073..dc7e8110b 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1918,7 +1918,14 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
       }
     }
 
-    t_RC->replace(d_now.tv_sec, i->first.name, QType(i->first.type), i->second.records, i->second.signatures, authorityRecs, isAA, i->first.place == DNSResourceRecord::ANSWER ? ednsmask : boost::none, recordState);
+    /* We don't need to store NSEC3 records in the positive cache because:
+       - we don't allow direct NSEC3 queries
+       - denial of existence proofs in wildcard expanded positive responses are stored in authorityRecs
+       - denial of existence proofs for negative responses are stored in the negative cache
+    */
+    if (i->first.type != QType::NSEC3) {
+      t_RC->replace(d_now.tv_sec, i->first.name, QType(i->first.type), i->second.records, i->second.signatures, authorityRecs, isAA, i->first.place == DNSResourceRecord::ANSWER ? ednsmask : boost::none, recordState);
+    }
 
     if(i->first.place == DNSResourceRecord::ANSWER && ednsmask)
       d_wasVariable=true;