From f4adabb2dd33510a91a30a129d8b5afe601348c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sat, 8 Nov 2025 12:06:20 +0100 Subject: [PATCH] Evict the RRSIG when adding negative header Formerly, we've evicted the RRSIG(type) only when we were changing existing header from positive to negative. Move the eviction routine for the RRSIG to a common path, so the RRSIG also gets evicted when we are adding new negative header for a specific type. --- lib/dns/qpcache.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c index 2197959174..fe69818f54 100644 --- a/lib/dns/qpcache.c +++ b/lib/dns/qpcache.c @@ -2912,15 +2912,7 @@ add(qpcache_t *qpdb, qpcnode_t *qpnode, dns_slabheader_t *newheader, mark_ancient(oldheader); - if (EXISTS(newheader) && NEGATIVE(newheader) && - !dns_rdatatype_issig(rdtype)) - { - if (oldtop->related != NULL) { - dns_slabheader_t *oldsigheader = - first_header(oldtop->related); - mark_ancient(oldsigheader); - } - } + INSIST(oldtop->related == related); } else if (!EXISTS(newheader)) { /* * The type already doesn't exist; no point trying @@ -2975,6 +2967,18 @@ add(qpcache_t *qpdb, qpcnode_t *qpnode, dns_slabheader_t *newheader, } } + /* + * We've added a proof that a rdtype doesn't exist. + * + * Mark the related rrsig in the cache as ancient. + */ + if (EXISTS(newheader) && NEGATIVE(newheader) && + !dns_rdatatype_issig(rdtype) && related != NULL) + { + dns_slabheader_t *oldsigheader = first_header(oldtop->related); + mark_ancient(oldsigheader); + } + bindrdataset(qpdb, qpnode, newheader, now, nlocktype, tlocktype, addedrdataset DNS__DB_FLARG_PASS);