From ef8092521f151d0338cc2d3035c3259bff1338ca Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Fri, 18 Sep 2015 13:52:44 +0200
Subject: [PATCH] improve SOA caching for DS queries

---
 pdns/dnsbackend.cc   |  7 +++++--
 pdns/ueberbackend.cc | 18 ++++++++++--------
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/pdns/dnsbackend.cc b/pdns/dnsbackend.cc
index 09e02e47d..47351ed16 100644
--- a/pdns/dnsbackend.cc
+++ b/pdns/dnsbackend.cc
@@ -49,7 +49,7 @@ bool DNSBackend::getAuth(DNSPacket *p, SOAData *sd, const string &target, int *z
   bool found=false;
   string subdomain(target);
   do {
-    if( best_match_len >= (int)subdomain.length() )
+    if( best_match_len >= (int)subdomain.length() && p->qtype != QType::DS )
       break;
 
     map<string,int>::iterator it = negCacheMap.find(subdomain);
@@ -59,14 +59,17 @@ bool DNSBackend::getAuth(DNSPacket *p, SOAData *sd, const string &target, int *z
       sd->qname = subdomain;
       if(zoneId)
         *zoneId = sd->domain_id;
+      if(found) // Second SOA found, we are done
+        return true;
 
       if(p->qtype.getCode() == QType::DS && pdns_iequals(subdomain, target)) {
         // Found authoritative zone but look for parent zone with 'DS' record.
-        negCacheMap[subdomain]=2;
         found=true;
       } else
         return true;
     }
+    if (found)
+      negCacheMap[subdomain]=2; // don't cache SOA's during our quest for a parent zone
   }
   while( chopOff( subdomain ) );   // 'www.powerdns.org' -> 'powerdns.org' -> 'org' -> ''
 
diff --git a/pdns/ueberbackend.cc b/pdns/ueberbackend.cc
index 8ddfa981a..0a3d4f2ca 100644
--- a/pdns/ueberbackend.cc
+++ b/pdns/ueberbackend.cc
@@ -283,7 +283,7 @@ bool UeberBackend::getAuth(DNSPacket *p, SOAData *sd, const string &target, int
   // If not special case of caching explicitly disabled (sd->db = -1), first
   // find the best match from the cache. If DS then we need to find parent so
   // dont bother with caching as it confuses matters.
-  if( sd->db != (DNSBackend *)-1 && d_cache_ttl && p->qtype != QType::DS ) {
+  if( sd->db != (DNSBackend *)-1 && d_cache_ttl ) {
       string subdomain(target);
       int cstat, loops = 0;
       do {
@@ -302,13 +302,14 @@ bool UeberBackend::getAuth(DNSPacket *p, SOAData *sd, const string &target, int
           //L<<Logger::Error<<"Best cache match: " << sd->qname << " itteration " << loops <<endl;
 
           // Found first time round this must be the best match
-          if( loops == 0 )
+          if( loops == 0  && p->qtype != QType::DS)
             return true;
 
           from_cache = true;
           best_match_len = sd->qname.length();
 
-          break;
+          if ( p->qtype != QType::DS || best_match_len < (int)target.length())
+            break;
         } else if (cstat==0) {
           negCacheMap[subdomain]=1;
         } else
@@ -319,14 +320,15 @@ bool UeberBackend::getAuth(DNSPacket *p, SOAData *sd, const string &target, int
   }
 
   for(vector<DNSBackend *>::const_iterator i=backends.begin(); i!=backends.end();++i) {
+
+    // Shortcut for the case that we got a direct hit - no need to go
+    // through the other backends then.
+    if( best_match_len == (int)target.length() && p->qtype != QType::DS )
+      goto auth_found;
+
     if((*i)->getAuth(p, sd, target, zoneId, best_match_len, negCacheMap)) {
         best_match_len = sd->qname.length();
         from_cache = false;
-
-        // Shortcut for the case that we got a direct hit - no need to go
-        // through the other backends then.
-        if( best_match_len == (int)target.length() )
-          goto auth_found;
     }
   }
 
-- 
2.40.0