- Cached messages that reach 0 TTL are considered expired. This prevents
Unbound itself from issuing replies with TTL 0 and possibly causing a
thundering herd at the last second. Upstream replies of TTL 0 still
get the usual pass-through but they are not considered for caching
from Unbound or any of its caching modules.
- 'serve-expired-reply-ttl' is changed and is now capped by the original
TTL value of the record to try and make some sense when replying
with expired records.
- TTL decoding was updated to adhere to RFC8767 section 4 where a set
high-order bit means the value is positive instead of 0.
- Fix cache update when serve expired is used in order to not evict
still usable expired records. Modules are forbidden to update the
cache if their answer is DNSSEC unchecked or bogus and a valid
(expired) entry already exists. Bogus replies from the validator are
also discarded in favor of existing (expired) valid replies.
- serve-expired-ttl-reset should try to keep expired records in the
cache in case they are reset.
up to parent to not cause delegation invalidation because of an
expired child delegation that would never be updated. Most likely to
happen without qname-minimisation. Reported by Roland van Rijswijk-Deij.
closest encloser from yy for DS zz. while building chain of trust,
because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata
for an NSEC3. Now it does not change rdata, and fixes TTL.
git-svn-id: file:///svn/unbound/trunk@2599 be551aaa-1e26-0410-a405-d3ace91eadb9
that would be permissible by the RFCs but it is not the TTL in the
cache.
git-svn-id: file:///svn/unbound/trunk@2581 be551aaa-1e26-0410-a405-d3ace91eadb9
This makes validated to be insecure data just as worthless as
nonvalidated data, and 2181 rules prevent cache overwrites to them.
- Fix assertion fail on bogus key handling.
- dnssec lameness detection works on first query at trust apex.
- NS queries get proper cache and dnssec lameness treatment.
- fixup compilation without pthreads on linux.
- NS queries are done after every referral.
validator is used on those NS records (if anchors enabled).
git-svn-id: file:///svn/unbound/trunk@1185 be551aaa-1e26-0410-a405-d3ace91eadb9
- fixup testbound so it exits cleanly.
- cleanup the caches on a reload, so that rrsetID numbers won't clash.
git-svn-id: file:///svn/unbound/trunk@740 be551aaa-1e26-0410-a405-d3ace91eadb9
store verification status in rrset cache to enable security for nonRD
replies and also speed up processing.
git-svn-id: file:///svn/unbound/trunk@550 be551aaa-1e26-0410-a405-d3ace91eadb9
- services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
rrset cache from module environment.
- packed rrset key has type and class as easily accessable struct
members. They are still kept in network format for fast msg encode.
- dns cache find_delegation routine.
git-svn-id: file:///svn/unbound/trunk@339 be551aaa-1e26-0410-a405-d3ace91eadb9
