- Added serve-expired-ttl and serve-expired-ttl-reset options.

git-svn-id: file:///svn/unbound/trunk@4876 be551aaa-1e26-0410-a405-d3ace91eadb9

cachedb/cachedb.c

@@ -446,6 +446,7 @@ adjust_msg_ttl(struct dns_msg* msg, time_t adjust)
 		msg->rep->ttl -= adjust;
 	else	msg->rep->ttl = 0;
 	msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
+	msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
 
 	for(i=0; i<msg->rep->rrset_count; i++) {
 		packed_rrset_ttl_subtract((struct packed_rrset_data*)msg->

daemon/cachedump.c

@@ -653,6 +653,7 @@ load_msg(RES* ssl, sldns_buffer* buf, struct worker* worker)
 	rep.qdcount = (uint16_t)qdcount;
 	rep.ttl = (time_t)ttl;
 	rep.prefetch_ttl = PREFETCH_TTL_CALC(rep.ttl);
+	rep.serve_expired_ttl = rep.ttl + SERVE_EXPIRED_TTL;
 	rep.security = (enum sec_status)security;
 	if(an > RR_COUNT_MAX || ns > RR_COUNT_MAX || ar > RR_COUNT_MAX) {
 		log_warn("error too many rrsets");

daemon/remote.c

@@ -1633,6 +1633,7 @@ zone_del_msg(struct lruhash_entry* e, void* arg)
 		if(d->ttl > inf->expired) {
 			d->ttl = inf->expired;
 			d->prefetch_ttl = inf->expired;
+			d->serve_expired_ttl = inf->expired;
 			inf->num_msgs++;
 		}
 	}

daemon/worker.c

@@ -629,7 +629,9 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 		&& worker->env.need_to_validate;
 	*partial_repp = NULL;	/* avoid accidental further pass */
 	if(worker->env.cfg->serve_expired) {
-		/* always lock rrsets, rep->ttl is ignored */
+		if(worker->env.cfg->serve_expired_ttl &&
+			rep->serve_expired_ttl < timenow)
+			return 0;
 		if(!rrset_array_lock(rep->ref, rep->rrset_count, 0))
 			return 0;
 		/* below, rrsets with ttl before timenow become TTL 0 in

dns64/dns64.c

@@ -781,8 +781,9 @@ dns64_adjust_a(int id, struct module_qstate* super, struct module_qstate* qstate
 	 * Build the actual reply.
 	 */
 	cp = construct_reply_info_base(super->region, rep->flags, rep->qdcount,
-		rep->ttl, rep->prefetch_ttl, rep->an_numrrsets, rep->ns_numrrsets,
-		rep->ar_numrrsets, rep->rrset_count, rep->security);
+		rep->ttl, rep->prefetch_ttl, rep->serve_expired_ttl,
+		rep->an_numrrsets, rep->ns_numrrsets, rep->ar_numrrsets,
+		rep->rrset_count, rep->security);
 	if(!cp)
 		return;
 

doc/Changelog

@@ -1,5 +1,6 @@
 28 August 2018: Ralph
 	- Disable minimal-responses in ipsecmod unit tests.
+	- Added serve-expired-ttl and serve-expired-ttl-reset options.
 
 27 August 2018: Wouter
 	- Set defaults to yes for a number of options to increase speed and

doc/example.conf.in

@@ -543,6 +543,16 @@ server:
 	# Serve expired responses from cache, with TTL 0 in the response,
 	# and then attempt to fetch the data afresh.
 	# serve-expired: no
+	#
+	# Limit serving of expired responses to configured seconds after
+	# expiration. 0 disables the limit.
+	# serve-expired-ttl: 0
+	#
+	# Set the TTL of expired records to the serve-expired-ttl value after a
+	# failed attempt to retrieve the record from upstream. This makes sure
+	# that the expired records will be served as long as there are queries
+	# for it.
+	# serve-expired-ttl-reset: no
 
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.

doc/unbound.conf.5.in

@@ -1013,6 +1013,17 @@ If enabled, unbound attempts to serve old responses from cache with a
 TTL of 0 in the response without waiting for the actual resolution to finish.
 The actual resolution answer ends up in the cache later on.  Default is "no".
 .TP
+.B serve\-expired\-ttl: \fI<seconds>
+Limit serving of expired responses to configured seconds after expiration. 0
+disables the limit. This option only applies when \fBserve\-expired\fR is
+enabled. The default is 0.
+.TP
+.B serve\-expired\-ttl\-reset: \fI<yes or no>
+Set the TTL of expired records to the \fBserve\-expired\-ttl\fR value after a
+failed attempt to retrieve the record from upstream. This makes sure that the
+expired records will be served as long as there are queries for it. Default is
+"no".
+.TP
 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
 List of keysize and iteration count values, separated by spaces, surrounded
 by quotes. Default is "1024 150 2048 500 4096 2500". This determines the

ipsecmod/ipsecmod.c

@@ -341,6 +341,8 @@ ipsecmod_handle_query(struct module_qstate* qstate,
 						qstate->env->cfg->ipsecmod_max_ttl;
 					qstate->return_msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(
 						qstate->return_msg->rep->ttl);
+					qstate->return_msg->rep->prefetch_ttl = qstate->return_msg->rep->ttl +
+						qstate->env->cfg->serve_expired_ttl;
 				}
 			}
 		}

iterator/iterator.c

@@ -304,8 +304,20 @@ error_response_cache(struct module_qstate* qstate, int id, int rcode)
 			if((msg=msg_cache_lookup(qstate->env,
 				qstate->qinfo.qname, qstate->qinfo.qname_len,
 				qstate->qinfo.qtype, qstate->qinfo.qclass,
-				qstate->query_flags, 0, 0))
+				qstate->query_flags, 0,
+				qstate->env->cfg->serve_expired_ttl_reset))
 				!= NULL) {
+				if(qstate->env->cfg->serve_expired_ttl_reset) {
+					struct reply_info* rep =
+						(struct reply_info*)msg->entry.data;
+					if(rep && *qstate->env->now +
+						qstate->env->cfg->serve_expired_ttl  >
+						rep->serve_expired_ttl) {
+						rep->serve_expired_ttl =
+							*qstate->env->now +
+							qstate->env->cfg->serve_expired_ttl;
+					}
+				}
 				lock_rw_unlock(&msg->entry.lock);
 				return error_response(qstate, id, rcode);
 			}
@@ -319,6 +331,7 @@ error_response_cache(struct module_qstate* qstate, int id, int rcode)
 		err.qdcount = 1;
 		err.ttl = NORR_TTL;
 		err.prefetch_ttl = PREFETCH_TTL_CALC(err.ttl);
+		err.serve_expired_ttl = NORR_TTL;
 		/* do not waste time trying to validate this servfail */
 		err.security = sec_status_indeterminate;
 		verbose(VERB_ALGO, "store error response in message cache");
@@ -3318,6 +3331,8 @@ processClassResponse(struct module_qstate* qstate, int id,
 			to->rep->ttl = from->rep->ttl;
 		if(from->rep->prefetch_ttl < to->rep->prefetch_ttl)
 			to->rep->prefetch_ttl = from->rep->prefetch_ttl;
+		if(from->rep->serve_expired_ttl < to->rep->serve_expired_ttl)
+			to->rep->serve_expired_ttl = from->rep->serve_expired_ttl;
 	}
 	/* are we done? */
 	foriq->num_current_queries --;

respip/respip.c

@@ -611,8 +611,9 @@ make_new_reply_info(const struct reply_info* rep, struct regional* region,
 	 * EDNS0 OPT RR in the additional section appended on sending it out),
 	 * so the total number of RRsets is an_numrrsets. */
 	new_rep = construct_reply_info_base(region, rep->flags,
-		rep->qdcount, rep->ttl, rep->prefetch_ttl, an_numrrsets,
-		0, 0, an_numrrsets, sec_status_insecure);
+		rep->qdcount, rep->ttl, rep->prefetch_ttl,
+		rep->serve_expired_ttl, an_numrrsets, 0, 0, an_numrrsets,
+		sec_status_insecure);
 	if(!new_rep)
 		return NULL;
 	if(!reply_info_alloc_rrset_keys(new_rep, NULL, region))

services/authzone.c

@@ -185,11 +185,13 @@ msg_ttl(struct dns_msg* msg)
 	if(msg->rep->rrset_count == 1) {
 		msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]);
 		msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
+		msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
 	} else if(get_rrset_ttl(msg->rep->rrsets[msg->rep->rrset_count-1]) <
 		msg->rep->ttl) {
 		msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[
 			msg->rep->rrset_count-1]);
 		msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
+		msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
 	}
 }
 
@@ -2285,6 +2287,7 @@ az_add_negative_soa(struct auth_zone* z, struct regional* region,
 	d->rr_ttl[0] = (time_t)minimum;
 	msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]);
 	msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
+	msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
 	return 1;
 }
 

services/cache/dns.c

@@ -547,6 +547,7 @@ tomsg(struct module_env* env, struct query_info* q, struct reply_info* r,
 	if(r->prefetch_ttl > now)
 		msg->rep->prefetch_ttl = r->prefetch_ttl - now;
 	else	msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
+	msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
 	msg->rep->security = r->security;
 	msg->rep->an_numrrsets = r->an_numrrsets;
 	msg->rep->ns_numrrsets = r->ns_numrrsets;
@@ -601,6 +602,7 @@ rrset_msg(struct ub_packed_rrset_key* rrset, struct regional* region,
 	msg->rep->qdcount = 1;
 	msg->rep->ttl = d->ttl - now;
 	msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
+	msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
 	msg->rep->security = sec_status_unchecked;
 	msg->rep->an_numrrsets = 1;
 	msg->rep->ns_numrrsets = 0;
@@ -638,6 +640,7 @@ synth_dname_msg(struct ub_packed_rrset_key* rrset, struct regional* region,
 	msg->rep->qdcount = 1;
 	msg->rep->ttl = d->ttl - now;
 	msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
+	msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
 	msg->rep->security = sec_status_unchecked;
 	msg->rep->an_numrrsets = 1;
 	msg->rep->ns_numrrsets = 0;
@@ -696,6 +699,7 @@ synth_dname_msg(struct ub_packed_rrset_key* rrset, struct regional* region,
 	newd->rr_ttl[0] = newd->ttl;
 	msg->rep->ttl = newd->ttl;
 	msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(newd->ttl);
+	msg->rep->serve_expired_ttl = newd->ttl + SERVE_EXPIRED_TTL;
 	sldns_write_uint16(newd->rr_data[0], newlen);
 	memmove(newd->rr_data[0] + sizeof(uint16_t), newname, newlen);
 	msg->rep->an_numrrsets ++;

util/config_file.c

@@ -234,6 +234,8 @@ config_create(void)
 	cfg->aggressive_nsec = 0;
 	cfg->ignore_cd = 0;
 	cfg->serve_expired = 0;
+	cfg->serve_expired_ttl = 0;
+	cfg->serve_expired_ttl_reset = 0;
 	cfg->add_holddown = 30*24*3600;
 	cfg->del_holddown = 30*24*3600;
 	cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */
@@ -556,6 +558,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("aggressive-nsec:", aggressive_nsec)
 	else S_YNO("ignore-cd-flag:", ignore_cd)
 	else S_YNO("serve-expired:", serve_expired)
+	else if(strcmp(opt, "serve_expired_ttl:") == 0)
+	{ IS_NUMBER_OR_ZERO; cfg->serve_expired_ttl = atoi(val); SERVE_EXPIRED_TTL=(time_t)cfg->serve_expired_ttl;}
+	else S_YNO("serve-expired-ttl-reset:", serve_expired_ttl_reset)
 	else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations)
 	else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown)
 	else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown)
@@ -937,6 +942,8 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "aggressive-nsec", aggressive_nsec)
 	else O_YNO(opt, "ignore-cd-flag", ignore_cd)
 	else O_YNO(opt, "serve-expired", serve_expired)
+	else O_DEC(opt, "serve-expired-ttl", serve_expired_ttl)
+	else O_YNO(opt, "serve-expired-ttl-reset", serve_expired_ttl_reset)
 	else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations)
 	else O_UNS(opt, "add-holddown", add_holddown)
 	else O_UNS(opt, "del-holddown", del_holddown)
@@ -1860,6 +1867,7 @@ config_apply(struct config_file* config)
 {
 	MAX_TTL = (time_t)config->max_ttl;
 	MIN_TTL = (time_t)config->min_ttl;
+	SERVE_EXPIRED_TTL = (time_t)config->serve_expired_ttl;
 	MAX_NEG_TTL = (time_t)config->max_negative_ttl;
 	RTT_MIN_TIMEOUT = config->infra_cache_min_rtt;
 	EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size;

util/config_file.h

@@ -339,6 +339,10 @@ struct config_file {
 	int ignore_cd;
 	/** serve expired entries and prefetch them */
 	int serve_expired;
+	/** serve expired entries until TTL after expiration */
+	int serve_expired_ttl;
+	/** reset serve expired TTL after failed update attempt */
+	int serve_expired_ttl_reset;
 	/** nsec3 maximum iterations per key size, string */
 	char* val_nsec3_key_iterations;
 	/** autotrust add holddown time, in seconds */

util/configlexer.lex

@@ -354,6 +354,8 @@ val-permissive-mode{COLON}	{ YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
 aggressive-nsec{COLON}		{ YDVAR(1, VAR_AGGRESSIVE_NSEC) }
 ignore-cd-flag{COLON}		{ YDVAR(1, VAR_IGNORE_CD_FLAG) }
 serve-expired{COLON}		{ YDVAR(1, VAR_SERVE_EXPIRED) }
+serve-expired-ttl{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_TTL) }
+serve-expired-ttl-reset{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) }
 fake-dsa{COLON}			{ YDVAR(1, VAR_FAKE_DSA) }
 fake-sha1{COLON}		{ YDVAR(1, VAR_FAKE_SHA1) }
 val-log-level{COLON}		{ YDVAR(1, VAR_VAL_LOG_LEVEL) }

util/configparser.h

@@ -244,56 +244,58 @@ extern int yydebug;
     VAR_ACCESS_CONTROL_VIEW = 454,
     VAR_VIEW_FIRST = 455,
     VAR_SERVE_EXPIRED = 456,
-    VAR_FAKE_DSA = 457,
-    VAR_FAKE_SHA1 = 458,
-    VAR_LOG_IDENTITY = 459,
-    VAR_HIDE_TRUSTANCHOR = 460,
-    VAR_TRUST_ANCHOR_SIGNALING = 461,
-    VAR_AGGRESSIVE_NSEC = 462,
-    VAR_USE_SYSTEMD = 463,
-    VAR_SHM_ENABLE = 464,
-    VAR_SHM_KEY = 465,
-    VAR_ROOT_KEY_SENTINEL = 466,
-    VAR_DNSCRYPT = 467,
-    VAR_DNSCRYPT_ENABLE = 468,
-    VAR_DNSCRYPT_PORT = 469,
-    VAR_DNSCRYPT_PROVIDER = 470,
-    VAR_DNSCRYPT_SECRET_KEY = 471,
-    VAR_DNSCRYPT_PROVIDER_CERT = 472,
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 473,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 474,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 475,
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 476,
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 477,
-    VAR_IPSECMOD_ENABLED = 478,
-    VAR_IPSECMOD_HOOK = 479,
-    VAR_IPSECMOD_IGNORE_BOGUS = 480,
-    VAR_IPSECMOD_MAX_TTL = 481,
-    VAR_IPSECMOD_WHITELIST = 482,
-    VAR_IPSECMOD_STRICT = 483,
-    VAR_CACHEDB = 484,
-    VAR_CACHEDB_BACKEND = 485,
-    VAR_CACHEDB_SECRETSEED = 486,
-    VAR_CACHEDB_REDISHOST = 487,
-    VAR_CACHEDB_REDISPORT = 488,
-    VAR_CACHEDB_REDISTIMEOUT = 489,
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 490,
-    VAR_FOR_UPSTREAM = 491,
-    VAR_AUTH_ZONE = 492,
-    VAR_ZONEFILE = 493,
-    VAR_MASTER = 494,
-    VAR_URL = 495,
-    VAR_FOR_DOWNSTREAM = 496,
-    VAR_FALLBACK_ENABLED = 497,
-    VAR_TLS_ADDITIONAL_PORT = 498,
-    VAR_LOW_RTT = 499,
-    VAR_LOW_RTT_PERMIL = 500,
-    VAR_ALLOW_NOTIFY = 501,
-    VAR_TLS_WIN_CERT = 502,
-    VAR_TCP_CONNECTION_LIMIT = 503,
-    VAR_FORWARD_NO_CACHE = 504,
-    VAR_STUB_NO_CACHE = 505,
-    VAR_LOG_SERVFAIL = 506
+    VAR_SERVE_EXPIRED_TTL = 457,
+    VAR_SERVE_EXPIRED_TTL_RESET = 458,
+    VAR_FAKE_DSA = 459,
+    VAR_FAKE_SHA1 = 460,
+    VAR_LOG_IDENTITY = 461,
+    VAR_HIDE_TRUSTANCHOR = 462,
+    VAR_TRUST_ANCHOR_SIGNALING = 463,
+    VAR_AGGRESSIVE_NSEC = 464,
+    VAR_USE_SYSTEMD = 465,
+    VAR_SHM_ENABLE = 466,
+    VAR_SHM_KEY = 467,
+    VAR_ROOT_KEY_SENTINEL = 468,
+    VAR_DNSCRYPT = 469,
+    VAR_DNSCRYPT_ENABLE = 470,
+    VAR_DNSCRYPT_PORT = 471,
+    VAR_DNSCRYPT_PROVIDER = 472,
+    VAR_DNSCRYPT_SECRET_KEY = 473,
+    VAR_DNSCRYPT_PROVIDER_CERT = 474,
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 475,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 476,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 477,
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 478,
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 479,
+    VAR_IPSECMOD_ENABLED = 480,
+    VAR_IPSECMOD_HOOK = 481,
+    VAR_IPSECMOD_IGNORE_BOGUS = 482,
+    VAR_IPSECMOD_MAX_TTL = 483,
+    VAR_IPSECMOD_WHITELIST = 484,
+    VAR_IPSECMOD_STRICT = 485,
+    VAR_CACHEDB = 486,
+    VAR_CACHEDB_BACKEND = 487,
+    VAR_CACHEDB_SECRETSEED = 488,
+    VAR_CACHEDB_REDISHOST = 489,
+    VAR_CACHEDB_REDISPORT = 490,
+    VAR_CACHEDB_REDISTIMEOUT = 491,
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 492,
+    VAR_FOR_UPSTREAM = 493,
+    VAR_AUTH_ZONE = 494,
+    VAR_ZONEFILE = 495,
+    VAR_MASTER = 496,
+    VAR_URL = 497,
+    VAR_FOR_DOWNSTREAM = 498,
+    VAR_FALLBACK_ENABLED = 499,
+    VAR_TLS_ADDITIONAL_PORT = 500,
+    VAR_LOW_RTT = 501,
+    VAR_LOW_RTT_PERMIL = 502,
+    VAR_ALLOW_NOTIFY = 503,
+    VAR_TLS_WIN_CERT = 504,
+    VAR_TCP_CONNECTION_LIMIT = 505,
+    VAR_FORWARD_NO_CACHE = 506,
+    VAR_STUB_NO_CACHE = 507,
+    VAR_LOG_SERVFAIL = 508
   };
 #endif
 /* Tokens.  */
@@ -496,56 +498,58 @@ extern int yydebug;
 #define VAR_ACCESS_CONTROL_VIEW 454
 #define VAR_VIEW_FIRST 455
 #define VAR_SERVE_EXPIRED 456
-#define VAR_FAKE_DSA 457
-#define VAR_FAKE_SHA1 458
-#define VAR_LOG_IDENTITY 459
-#define VAR_HIDE_TRUSTANCHOR 460
-#define VAR_TRUST_ANCHOR_SIGNALING 461
-#define VAR_AGGRESSIVE_NSEC 462
-#define VAR_USE_SYSTEMD 463
-#define VAR_SHM_ENABLE 464
-#define VAR_SHM_KEY 465
-#define VAR_ROOT_KEY_SENTINEL 466
-#define VAR_DNSCRYPT 467
-#define VAR_DNSCRYPT_ENABLE 468
-#define VAR_DNSCRYPT_PORT 469
-#define VAR_DNSCRYPT_PROVIDER 470
-#define VAR_DNSCRYPT_SECRET_KEY 471
-#define VAR_DNSCRYPT_PROVIDER_CERT 472
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 473
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 474
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 475
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 476
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 477
-#define VAR_IPSECMOD_ENABLED 478
-#define VAR_IPSECMOD_HOOK 479
-#define VAR_IPSECMOD_IGNORE_BOGUS 480
-#define VAR_IPSECMOD_MAX_TTL 481
-#define VAR_IPSECMOD_WHITELIST 482
-#define VAR_IPSECMOD_STRICT 483
-#define VAR_CACHEDB 484
-#define VAR_CACHEDB_BACKEND 485
-#define VAR_CACHEDB_SECRETSEED 486
-#define VAR_CACHEDB_REDISHOST 487
-#define VAR_CACHEDB_REDISPORT 488
-#define VAR_CACHEDB_REDISTIMEOUT 489
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 490
-#define VAR_FOR_UPSTREAM 491
-#define VAR_AUTH_ZONE 492
-#define VAR_ZONEFILE 493
-#define VAR_MASTER 494
-#define VAR_URL 495
-#define VAR_FOR_DOWNSTREAM 496
-#define VAR_FALLBACK_ENABLED 497
-#define VAR_TLS_ADDITIONAL_PORT 498
-#define VAR_LOW_RTT 499
-#define VAR_LOW_RTT_PERMIL 500
-#define VAR_ALLOW_NOTIFY 501
-#define VAR_TLS_WIN_CERT 502
-#define VAR_TCP_CONNECTION_LIMIT 503
-#define VAR_FORWARD_NO_CACHE 504
-#define VAR_STUB_NO_CACHE 505
-#define VAR_LOG_SERVFAIL 506
+#define VAR_SERVE_EXPIRED_TTL 457
+#define VAR_SERVE_EXPIRED_TTL_RESET 458
+#define VAR_FAKE_DSA 459
+#define VAR_FAKE_SHA1 460
+#define VAR_LOG_IDENTITY 461
+#define VAR_HIDE_TRUSTANCHOR 462
+#define VAR_TRUST_ANCHOR_SIGNALING 463
+#define VAR_AGGRESSIVE_NSEC 464
+#define VAR_USE_SYSTEMD 465
+#define VAR_SHM_ENABLE 466
+#define VAR_SHM_KEY 467
+#define VAR_ROOT_KEY_SENTINEL 468
+#define VAR_DNSCRYPT 469
+#define VAR_DNSCRYPT_ENABLE 470
+#define VAR_DNSCRYPT_PORT 471
+#define VAR_DNSCRYPT_PROVIDER 472
+#define VAR_DNSCRYPT_SECRET_KEY 473
+#define VAR_DNSCRYPT_PROVIDER_CERT 474
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 475
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 476
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 477
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 478
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 479
+#define VAR_IPSECMOD_ENABLED 480
+#define VAR_IPSECMOD_HOOK 481
+#define VAR_IPSECMOD_IGNORE_BOGUS 482
+#define VAR_IPSECMOD_MAX_TTL 483
+#define VAR_IPSECMOD_WHITELIST 484
+#define VAR_IPSECMOD_STRICT 485
+#define VAR_CACHEDB 486
+#define VAR_CACHEDB_BACKEND 487
+#define VAR_CACHEDB_SECRETSEED 488
+#define VAR_CACHEDB_REDISHOST 489
+#define VAR_CACHEDB_REDISPORT 490
+#define VAR_CACHEDB_REDISTIMEOUT 491
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 492
+#define VAR_FOR_UPSTREAM 493
+#define VAR_AUTH_ZONE 494
+#define VAR_ZONEFILE 495
+#define VAR_MASTER 496
+#define VAR_URL 497
+#define VAR_FOR_DOWNSTREAM 498
+#define VAR_FALLBACK_ENABLED 499
+#define VAR_TLS_ADDITIONAL_PORT 500
+#define VAR_LOW_RTT 501
+#define VAR_LOW_RTT_PERMIL 502
+#define VAR_ALLOW_NOTIFY 503
+#define VAR_TLS_WIN_CERT 504
+#define VAR_TCP_CONNECTION_LIMIT 505
+#define VAR_FORWARD_NO_CACHE 506
+#define VAR_STUB_NO_CACHE 507
+#define VAR_LOG_SERVFAIL 508
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -556,7 +560,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 560 "util/configparser.h" /* yacc.c:1909  */
+#line 564 "util/configparser.h" /* yacc.c:1909  */
 };
 
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -140,7 +140,8 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DEFINE_TAG VAR_LOCAL_ZONE_TAG VAR_ACCESS_CONTROL_TAG
 %token VAR_LOCAL_ZONE_OVERRIDE VAR_ACCESS_CONTROL_TAG_ACTION
 %token VAR_ACCESS_CONTROL_TAG_DATA VAR_VIEW VAR_ACCESS_CONTROL_VIEW
-%token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_FAKE_DSA VAR_FAKE_SHA1
+%token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_SERVE_EXPIRED_TTL
+%token VAR_SERVE_EXPIRED_TTL_RESET VAR_FAKE_DSA VAR_FAKE_SHA1
 %token VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR VAR_TRUST_ANCHOR_SIGNALING
 %token VAR_AGGRESSIVE_NSEC VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
 %token VAR_ROOT_KEY_SENTINEL
@@ -243,6 +244,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_local_zone_override | server_access_control_tag_action |
 	server_access_control_tag_data | server_access_control_view |
 	server_qname_minimisation_strict | server_serve_expired |
+	server_serve_expired_ttl | server_serve_expired_ttl_reset |
 	server_fake_dsa | server_log_identity | server_use_systemd |
 	server_response_ip_tag | server_response_ip | server_response_ip_data |
 	server_shm_enable | server_shm_key | server_fake_sha1 |
@@ -1520,6 +1522,24 @@ server_serve_expired: VAR_SERVE_EXPIRED STRING_ARG
 		free($2);
 	}
 	;
+server_serve_expired_ttl: VAR_SERVE_EXPIRED_TTL STRING_ARG
+	{
+		OUTYY(("P(server_serve_expired_ttl:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("number expected");
+		else cfg_parser->cfg->serve_expired_ttl = atoi($2);
+		free($2);
+	}
+	;
+server_serve_expired_ttl_reset: VAR_SERVE_EXPIRED_TTL_RESET STRING_ARG
+	{
+		OUTYY(("P(server_serve_expired_ttl_reset:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->serve_expired_ttl_reset = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_fake_dsa: VAR_FAKE_DSA STRING_ARG
 	{
 		OUTYY(("P(server_fake_dsa:%s)\n", $2));

util/data/msgparse.h

@@ -79,6 +79,8 @@ extern time_t MAX_TTL;
 extern time_t MIN_TTL;
 /** Maximum Negative TTL that is allowed */
 extern time_t MAX_NEG_TTL;
+/** Time to serve records after expiration */
+extern time_t SERVE_EXPIRED_TTL;
 /** Negative cache time (for entries without any RRs.) */
 #define NORR_TTL 5 /* seconds */
 

util/data/msgreply.c

@@ -61,6 +61,8 @@ time_t MAX_TTL = 3600 * 24 * 10; /* ten days */
 time_t MIN_TTL = 0;
 /** MAX Negative TTL, for SOA records in authority section */
 time_t MAX_NEG_TTL = 3600; /* one hour */
+/** Time to serve records after expiration */
+time_t SERVE_EXPIRED_TTL = 0;
 
 /** allocate qinfo, return 0 on error */
 static int
@@ -85,8 +87,8 @@ parse_create_qinfo(sldns_buffer* pkt, struct msg_parse* msg,
 /** constructor for replyinfo */
 struct reply_info*
 construct_reply_info_base(struct regional* region, uint16_t flags, size_t qd,
-	time_t ttl, time_t prettl, size_t an, size_t ns, size_t ar, 
-	size_t total, enum sec_status sec)
+	time_t ttl, time_t prettl, time_t expttl, size_t an, size_t ns,
+	size_t ar, size_t total, enum sec_status sec)
 {
 	struct reply_info* rep;
 	/* rrset_count-1 because the first ref is part of the struct. */
@@ -103,6 +105,7 @@ construct_reply_info_base(struct regional* region, uint16_t flags, size_t qd,
 	rep->qdcount = qd;
 	rep->ttl = ttl;
 	rep->prefetch_ttl = prettl;
+	rep->serve_expired_ttl = expttl;
 	rep->an_numrrsets = an;
 	rep->ns_numrrsets = ns;
 	rep->ar_numrrsets = ar;
@@ -126,7 +129,7 @@ parse_create_repinfo(struct msg_parse* msg, struct reply_info** rep,
 	struct regional* region)
 {
 	*rep = construct_reply_info_base(region, msg->flags, msg->qdcount, 0, 
-		0, msg->an_rrsets, msg->ns_rrsets, msg->ar_rrsets, 
+		0, 0, msg->an_rrsets, msg->ns_rrsets, msg->ar_rrsets, 
 		msg->rrset_count, sec_status_unchecked);
 	if(!*rep)
 		return 0;
@@ -424,6 +427,7 @@ parse_copy_decompress(sldns_buffer* pkt, struct msg_parse* msg,
 		pset = pset->rrset_all_next;
 	}
 	rep->prefetch_ttl = PREFETCH_TTL_CALC(rep->ttl);
+	rep->serve_expired_ttl = rep->ttl + SERVE_EXPIRED_TTL;
 	return 1;
 }
 
@@ -502,6 +506,7 @@ reply_info_set_ttls(struct reply_info* rep, time_t timenow)
 	size_t i, j;
 	rep->ttl += timenow;
 	rep->prefetch_ttl += timenow;
+	rep->serve_expired_ttl += timenow;
 	for(i=0; i<rep->rrset_count; i++) {
 		struct packed_rrset_data* data = (struct packed_rrset_data*)
 			rep->ref[i].key->entry.data;
@@ -687,9 +692,9 @@ reply_info_copy(struct reply_info* rep, struct alloc_cache* alloc,
 {
 	struct reply_info* cp;
 	cp = construct_reply_info_base(region, rep->flags, rep->qdcount, 
-		rep->ttl, rep->prefetch_ttl, rep->an_numrrsets, 
-		rep->ns_numrrsets, rep->ar_numrrsets, rep->rrset_count, 
-		rep->security);
+		rep->ttl, rep->prefetch_ttl, rep->serve_expired_ttl, 
+		rep->an_numrrsets, rep->ns_numrrsets, rep->ar_numrrsets,
+		rep->rrset_count, rep->security);
 	if(!cp)
 		return NULL;
 	/* allocate ub_key structures special or not */

util/data/msgreply.h

@@ -156,6 +156,12 @@ struct reply_info {
 	 */
 	time_t prefetch_ttl;
 
+	/** 
+	 * Reply TTL extended with serve exipred TTL, to limit time to serve
+	 * expired message.
+	 */
+	time_t serve_expired_ttl;
+
 	/**
 	 * The security status from DNSSEC validation of this message.
 	 */
@@ -222,6 +228,7 @@ struct msgreply_entry {
  * @param qd: qd count
  * @param ttl: TTL of replyinfo
  * @param prettl: prefetch ttl
+ * @param expttl: serve expired ttl
  * @param an: an count
  * @param ns: ns count
  * @param ar: ar count
@@ -232,8 +239,8 @@ struct msgreply_entry {
  */
 struct reply_info*
 construct_reply_info_base(struct regional* region, uint16_t flags, size_t qd,
-		time_t ttl, time_t prettl, size_t an, size_t ns, size_t ar,
-		size_t total, enum sec_status sec);
+		time_t ttl, time_t prettl, time_t expttl, size_t an, size_t ns,
+		size_t ar, size_t total, enum sec_status sec);
 
 /** 
  * Parse wire query into a queryinfo structure, return 0 on parse error. 

validator/validator.c

@@ -2235,6 +2235,8 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
 		vq->orig_msg->rep->ttl = ve->bogus_ttl;
 		vq->orig_msg->rep->prefetch_ttl = 
 			PREFETCH_TTL_CALC(vq->orig_msg->rep->ttl);
+		vq->orig_msg->rep->serve_expired_ttl = 
+			vq->orig_msg->rep->ttl + qstate->env->cfg->serve_expired_ttl;
 		if((qstate->env->cfg->val_log_level >= 1 ||
 			qstate->env->cfg->log_servfail) &&
 			!qstate->env->cfg->val_log_squelch) {