From d46277b398abc4f226002515f457da77e00878f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 18 Feb 2026 06:39:33 +0100
Subject: [PATCH] Clear serve-stale flags when following the CNAME chains

A stale answer or SERVFAIL could have been served in case of multiple
upstream failures when following the CNAME chains. This has been fixed.
---
 lib/ns/query.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 59165a2537..b457d61173 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5382,6 +5382,8 @@ qctx_setrad(query_ctx_t *qctx) {
 isc_result_t
 ns__query_start(query_ctx_t *qctx) {
 	isc_result_t result = ISC_R_UNSET;
+	ns_client_t *client = qctx->client;
+
 	CCTRACE(ISC_LOG_DEBUG(3), "ns__query_start");
 	qctx->want_restart = false;
 	qctx->authoritative = false;
@@ -5390,6 +5392,13 @@ ns__query_start(query_ctx_t *qctx) {
 	qctx->need_wildcardproof = false;
 	qctx->rpz = false;
 
+	/*
+	 * Clean existing stale options in case ns__query_start was restarted
+	 * due to the CNAME/DNAME chains.
+	 */
+	client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT |
+				     DNS_DBFIND_STALEOK);
+
 	CALL_HOOK(NS_QUERY_START_BEGIN, qctx);
 
 	/*