[master] ignore cache when sending 5011 refresh queries

4771. [bug] When sending RFC 5011 refresh queries, disregard cached DNSKEY rrsets. [RT #46251]
2025-08-29 13:38:26 +00:00 · 2017-10-11 14:24:29 -07:00 · 2017-10-11 14:24:29 -07:00 · b2597ce86b
commit b2597ce86b
parent 800fbdfc9c
4 changed files with 20 additions and 1 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+4771.	[bug]		When sending RFC 5011 refresh queries, disregard
+			cached DNSKEY rrsets. [RT #46251]
+
 4770.	[bug]		Cache additional data from priming queries as glue.
 			Previously they were ignored as unsigned
 			non-answer data from a secure zone, and never
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@ -97,6 +97,7 @@ typedef enum {
 #define DNS_FETCHOPT_PREFETCH		0x100	     /*%< Do prefetch */
 #define DNS_FETCHOPT_NOCDFLAG		0x200	     /*%< Don't set CD flag. */
 #define DNS_FETCHOPT_NONTA		0x400	     /*%< Ignore NTA table. */
+#define DNS_FETCHOPT_NOCACHED		0x800	     /*%< Force cache update. */

 /* Reserved in use by adb.c		0x00400000 */
 #define	DNS_FETCHOPT_EDNSVERSIONSET	0x00800000
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@ -5863,6 +5863,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 				{
 					options = DNS_DBADD_PREFETCH;
 				}
+				if ((fctx->options &
+				     DNS_FETCHOPT_NOCACHED) != 0)
+				{
+					options |= DNS_DBADD_FORCE;
+				}
 				addedrdataset = ardataset;
 				result = dns_db_addrdataset(fctx->cache, node,
 							    NULL, now, rdataset,
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -9754,11 +9754,21 @@ zone_refreshkeys(dns_zone_t *zone) {
 				     namebuf);
 		}

+		/*
+		 * Use of DNS_FETCHOPT_NOCACHED is essential here.  If it is
+		 * not set and the cache still holds a non-expired, validated
+		 * version of the RRset being queried for by the time the
+		 * response is received, the cached RRset will be passed to
+		 * keyfetch_done() instead of the one received in the response
+		 * as the latter will have a lower trust level due to not being
+		 * validated until keyfetch_done() is called.
+		 */
 		result = dns_resolver_createfetch(zone->view->resolver,
 						  kname, dns_rdatatype_dnskey,
 						  NULL, NULL, NULL,
 						  DNS_FETCHOPT_NOVALIDATE|
-						  DNS_FETCHOPT_UNSHARED,
+						  DNS_FETCHOPT_UNSHARED|
+						  DNS_FETCHOPT_NOCACHED,
 						  zone->task,
 						  keyfetch_done, kfetch,
 						  &kfetch->dnskeyset,