- Fix for #1064: Fix that cachedb expired messages are considered

insecure, and thus can be served to clients when dnssec is enabled.
2026-02-03 04:09:28 -05:00 · 2024-05-21 17:06:18 +02:00 · 2024-05-21 17:06:18 +02:00 · fbdc06ebc4
commit fbdc06ebc4
parent d149e755fd
2 changed files with 6 additions and 0 deletions
--- a/cachedb/cachedb.c
+++ b/cachedb/cachedb.c
@ -745,6 +745,10 @@ cachedb_intcache_store(struct module_qstate* qstate, int msg_expired)
 		 * going to be now-3 seconds. Making it expired
 		 * in the cache. */
 		set_msg_ttl(qstate->return_msg, (time_t)-3);
+		/* The expired entry does not get checked by the validator
+		 * and we need a validation value for it. */
+		if(qstate->env->cfg->cachedb_check_when_serve_expired)
+			qstate->return_msg->rep->security = sec_status_insecure;
 	}
 	(void)dns_cache_store(qstate->env, &qstate->qinfo,
 		qstate->return_msg->rep, 0, qstate->prefetch_leeway, 0,
--- a/doc/Changelog
+++ b/doc/Changelog
@ -4,6 +4,8 @@
 	- Fix to print a parse error when config is read with no name for
 	  a forward-zone, stub-zone or view.
 	- Fix for parse end of forward-zone, stub-zone and view.
+	- Fix for #1064: Fix that cachedb expired messages are considered
+	  insecure, and thus can be served to clients when dnssec is enabled.

 17 May 2024: Yorgos
 	- Merge #1069: Fix unbound-control stdin commands for multi-process