From 005b4b9810cb30fb4459891448c1c4a4ddf5965f Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Thu, 19 Oct 2017 11:57:32 +0200 Subject: [PATCH] rec: Don't directly store NSEC3 records in the positive cache --- pdns/syncres.cc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pdns/syncres.cc b/pdns/syncres.cc index f5cbe0073..dc7e8110b 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -1918,7 +1918,14 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr } } - t_RC->replace(d_now.tv_sec, i->first.name, QType(i->first.type), i->second.records, i->second.signatures, authorityRecs, isAA, i->first.place == DNSResourceRecord::ANSWER ? ednsmask : boost::none, recordState); + /* We don't need to store NSEC3 records in the positive cache because: + - we don't allow direct NSEC3 queries + - denial of existence proofs in wildcard expanded positive responses are stored in authorityRecs + - denial of existence proofs for negative responses are stored in the negative cache + */ + if (i->first.type != QType::NSEC3) { + t_RC->replace(d_now.tv_sec, i->first.name, QType(i->first.type), i->second.records, i->second.signatures, authorityRecs, isAA, i->first.place == DNSResourceRecord::ANSWER ? ednsmask : boost::none, recordState); + } if(i->first.place == DNSResourceRecord::ANSWER && ednsmask) d_wasVariable=true; -- 2.40.0