From 1962857ac4a306c99799a730aab2996ea1d46e72 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 27 Aug 2025 15:25:43 +0000
Subject: [PATCH] Log the servfail-until-ready message not faster than once per
 second

Since the log level has been raised, busy servers can "explode" from
the amount of log messages. Use the usual practice of logging "every
once in a while".
---
 lib/ns/query.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 11b9ee0214..99f742a292 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -20,6 +20,7 @@
 #include <string.h>
 
 #include <isc/async.h>
+#include <isc/atomic.h>
 #include <isc/counter.h>
 #include <isc/hex.h>
 #include <isc/list.h>
@@ -208,6 +209,20 @@ client_trace(ns_client_t *client, int level, const char *message) {
 	} while (0)
 #define RESTORE(a, b) SAVE(a, b)
 
+static atomic_uint_fast32_t last_rpznotready_log = 0;
+
+static bool
+can_log_rpznotready(void) {
+	isc_stdtime_t last;
+	isc_stdtime_t now = isc_stdtime_now();
+	last = atomic_exchange_relaxed(&last_rpznotready_log, now);
+	if (now != last) {
+		return true;
+	}
+
+	return false;
+}
+
 static bool
 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 	 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
@@ -4007,9 +4022,12 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 		/* Do not pollute SERVFAIL cache  */
 		client->inner.attributes |= NS_CLIENTATTR_NOSETFC;
 
-		rpz_log_fail(client, DNS_RPZ_INFO_LEVEL, NULL,
-			     DNS_RPZ_TYPE_QNAME, "RPZ servfail-until-ready",
-			     DNS_R_WAIT);
+		if (can_log_rpznotready()) {
+			rpz_log_fail(client, DNS_RPZ_INFO_LEVEL, NULL,
+				     DNS_RPZ_TYPE_QNAME,
+				     "RPZ servfail-until-ready", DNS_R_WAIT);
+		}
+
 		st->m.policy = DNS_RPZ_POLICY_ERROR;
 		goto cleanup;
 	}