From 36ef75916468dd4e800066411c265aa61e07cdca Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 27 Aug 2025 15:25:43 +0000
Subject: [PATCH] Log the servfail-until-ready message not faster than once per
 second

Since the log level has been raised, busy servers can "explode" from
the amount of log messages. Use the usual practice of logging "every
once in a while".

(cherry picked from commit 1962857ac4a306c99799a730aab2996ea1d46e72)
---
 lib/ns/query.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 5920d773af..54c541d55d 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -20,6 +20,7 @@
 #include <string.h>
 
 #include <isc/async.h>
+#include <isc/atomic.h>
 #include <isc/counter.h>
 #include <isc/hex.h>
 #include <isc/mem.h>
@@ -209,6 +210,20 @@ client_trace(ns_client_t *client, int level, const char *message) {
 	} while (0)
 #define RESTORE(a, b) SAVE(a, b)
 
+static atomic_uint_fast32_t last_rpznotready_log = 0;
+
+static bool
+can_log_rpznotready(void) {
+	isc_stdtime_t last;
+	isc_stdtime_t now = isc_stdtime_now();
+	last = atomic_exchange_relaxed(&last_rpznotready_log, now);
+	if (now != last) {
+		return true;
+	}
+
+	return false;
+}
+
 static bool
 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 	 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
@@ -4362,9 +4377,12 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 		/* Do not pollute SERVFAIL cache  */
 		client->attributes |= NS_CLIENTATTR_NOSETFC;
 
-		rpz_log_fail(client, DNS_RPZ_INFO_LEVEL, NULL,
-			     DNS_RPZ_TYPE_QNAME, "RPZ servfail-until-ready",
-			     DNS_R_WAIT);
+		if (can_log_rpznotready()) {
+			rpz_log_fail(client, DNS_RPZ_INFO_LEVEL, NULL,
+				     DNS_RPZ_TYPE_QNAME,
+				     "RPZ servfail-until-ready", DNS_R_WAIT);
+		}
+
 		st->m.policy = DNS_RPZ_POLICY_ERROR;
 		goto cleanup;
 	}