From cf687c0bdac2e411fb2d47d04a9432e732b5fec3 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 27 Aug 2025 14:33:01 +0000
Subject: [PATCH] RPZ 'servfail-until-ready': skip updating SERVFAIL cache

In order to not pollute the SERVFAIL cache with the configured
SERVFAIL answers while RPZ is loading, set the NS_CLIENTATTR_NOSETFC
attribute for the client.

(cherry picked from commit d9b5f6c5025b758c104d50853de2fd5545d38393)
---
 lib/ns/query.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/ns/query.c b/lib/ns/query.c
index d43f94c124..2ebd05f47b 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -4359,6 +4359,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 	if (first_time && popt.servfail_until_ready &&
 	    zones_processed < zones_registered)
 	{
+		/* Do not pollute SERVFAIL cache  */
+		client->attributes |= NS_CLIENTATTR_NOSETFC;
+
 		rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, NULL,
 			     DNS_RPZ_TYPE_QNAME, "RPZ not ready yet", result);
 		st->m.policy = DNS_RPZ_POLICY_ERROR;