From 4b114838de3291c3d555935f2a42f62383b917d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Sun, 2 Feb 2025 13:38:04 +0100
Subject: [PATCH] Add better ZEROTTL handling in bindrdataset()

If we know that the header has ZEROTTL set, the server should never send
stale records for it and the TTL should never be anything else than 0.
The comment was already there, but the code was not matching the
comment.

(cherry picked from commit cfee6aa56557f9fde8bd47949c5165edaf350113)
---
 lib/dns/qpcache.c | 3 ++-
 lib/dns/rbtdb.c   | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c
index 83ce178ee0..25a93431d2 100644
--- a/lib/dns/qpcache.c
+++ b/lib/dns/qpcache.c
@@ -1058,7 +1058,7 @@ bindrdataset(qpcache_t *qpdb, qpcnode_t *node, dns_slabheader_t *header,
 		 * (these records should not be cached anyway).
 		 */
 
-		if (KEEPSTALE(qpdb) && stale_ttl > now) {
+		if (!ZEROTTL(header) && KEEPSTALE(qpdb) && stale_ttl > now) {
 			stale = true;
 		} else {
 			/*
@@ -1073,6 +1073,7 @@ bindrdataset(qpcache_t *qpdb, qpcnode_t *node, dns_slabheader_t *header,
 	rdataset->rdclass = qpdb->common.rdclass;
 	rdataset->type = DNS_TYPEPAIR_TYPE(header->type);
 	rdataset->covers = DNS_TYPEPAIR_COVERS(header->type);
+	rdataset->ttl = !ZEROTTL(header) ? header->ttl - now : 0;
 	rdataset->ttl = header->ttl - now;
 	rdataset->trust = header->trust;
 	rdataset->resign = 0;
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 1a53ede503..cd81fe4550 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -2150,7 +2150,7 @@ dns__rbtdb_bindrdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 		 * (these records should not be cached anyway).
 		 */
 
-		if (KEEPSTALE(rbtdb) && stale_ttl > now) {
+		if (!ZEROTTL(header) && KEEPSTALE(rbtdb) && stale_ttl > now) {
 			stale = true;
 		} else {
 			/*
@@ -2165,7 +2165,7 @@ dns__rbtdb_bindrdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	rdataset->rdclass = rbtdb->common.rdclass;
 	rdataset->type = DNS_TYPEPAIR_TYPE(header->type);
 	rdataset->covers = DNS_TYPEPAIR_COVERS(header->type);
-	rdataset->ttl = header->ttl - now;
+	rdataset->ttl = !ZEROTTL(header) ? header->ttl - now : 0;
 	rdataset->trust = header->trust;
 
 	if (NEGATIVE(header)) {