From da3e409b21bb41a69a656cc006a35fdca24d6688 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Thu, 21 Aug 2025 17:47:29 +0200
Subject: [PATCH] fixup! Allow negative RRSIGs in the qpcache again

---
 lib/dns/qpcache.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c
index c3b1e25acf..9b70543a27 100644
--- a/lib/dns/qpcache.c
+++ b/lib/dns/qpcache.c
@@ -1629,10 +1629,11 @@ qpcache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
 	/*
 	 * Certain DNSSEC types are not subject to CNAME matching
 	 * (RFC4035, section 2.5 and RFC3007).
+	 *
+	 * We don't check for RRSIG, because we don't store RRSIG records
+	 * directly.
 	 */
-	if (type == dns_rdatatype_key || type == dns_rdatatype_nsec ||
-	    type == dns_rdatatype_rrsig)
-	{
+	if (type == dns_rdatatype_key || type == dns_rdatatype_nsec) {
 		cname_ok = false;
 	}
 
@@ -1650,7 +1651,7 @@ qpcache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
 	found = NULL;
 	foundsig = NULL;
 	typepair = DNS_TYPEPAIR(type);
-	sigpair = !dns_rdatatype_issig(type) ? DNS_SIGTYPEPAIR(type) : 0;
+	sigpair = DNS_SIGTYPEPAIR(type);
 	nsheader = NULL;
 	nsecheader = NULL;
 	nssig = NULL;