bind9/lib
Evan Hunt a7a90eb9d8 Check for secure data before caching CD=1 NXDOMAIN
An unvalidated NXDOMAIN (e.g. from a CD=1 query) marked every RRset at
the name ancient without checking trust, evicting DNSSEC-validated data.
Keep the cache unchanged when any existing RRset is already secure.

dns_ncache_add() now returns DNS_R_UNCHANGED for the rejected add;
negcache() serves a matching cached negative or the queried type, else
SERVFAIL (never the unrelated RRset the add bound), and rctx_ncache()
forwards it so the fetch fails fast.
2026-07-01 23:56:50 -07:00
..
dns Check for secure data before caching CD=1 NXDOMAIN 2026-07-01 23:56:50 -07:00
isc Replace uint with unsigned int in the histo.c unit 2026-07-01 08:04:48 +02:00
isccc switch isc_md_type_t to a proper enum 2026-02-02 11:12:55 +03:00
isccfg Delegations have a minimal TTL of 60 seconds 2026-07-01 08:40:05 +02:00
ns Add DNS_PRIVATE_BUFFERSIZE and use it 2026-07-02 10:08:52 +10:00
.gitignore The isc/platform.h header has been completely removed 2021-07-06 05:33:48 +00:00
meson.build replace the build system with meson 2025-06-11 10:30:12 +03:00