From a321baf91914f8f77b9f207a28ec898713d727a6 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 16 Jan 2019 09:32:35 +0100
Subject: [PATCH] rec: Don't cache non-AA records that we won't use

---
 pdns/syncres.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index a513bf357..52d3e1b65 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2370,8 +2370,12 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
        - we don't allow direct NSEC3 queries
        - denial of existence proofs in wildcard expanded positive responses are stored in authorityRecs
        - denial of existence proofs for negative responses are stored in the negative cache
+       We also don't want to cache non-authoritative data except for:
+       - records coming from non forward-recurse servers (those will never be AA)
+       - DS (special case)
+       - NS, A and AAAA (used for infra queries)
     */
-    if (i->first.type != QType::NSEC3) {
+    if (i->first.type != QType::NSEC3 && (i->first.type == QType::DS || i->first.type == QType::NS || i->first.type == QType::A || i->first.type == QType::AAAA || isAA || wasForwardRecurse)) {
       t_RC->replace(d_now.tv_sec, i->first.name, QType(i->first.type), i->second.records, i->second.signatures, authorityRecs, i->first.type == QType::DS ? true : isAA, i->first.place == DNSResourceRecord::ANSWER ? ednsmask : boost::none, recordState);
     }
 
-- 
2.40.0