Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix cache update when serve expired is used #1143

Merged
merged 7 commits into from
Sep 24, 2024
Merged

Fix cache update when serve expired is used #1143

merged 7 commits into from
Sep 24, 2024

Conversation

gthess
Copy link
Member

@gthess gthess commented Sep 23, 2024

By not replacing/evicting still usable expired records. Modules are forbidden to update the cache if their answer is DNSSEC unchecked or bogus and a valid (expired) entry already exists. Bogus replies from the validator are also discarded in favor of existing (expired) valid replies.

Fixes #994.

@gthess
- Fix cache update when serve expired is used in order to not evict
2631162 
  still usable expired records. Modules are forbidden to update the
  cache if their answer is DNSSEC unchecked or bogus and a valid
  (expired) entry already exists. Bogus replies from the validator are
  also discarded in favor of existing (expired) valid replies.
@gthess gthess added this to the 1.22.0 milestone Sep 23, 2024
@gthess gthess self-assigned this Sep 23, 2024
wcawijngaards
wcawijngaards approved these changes Sep 24, 2024
View reviewed changes
Copy link
Member

@wcawijngaards wcawijngaards left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good. It is nice to keep the better validated answers in cache when there are lookup failures.

validator/validator.c Show resolved Hide resolved
testdata/serve_expired_client_timeout_val_bogus.rpl Show resolved Hide resolved
testdata/serve_expired_val_bogus.rpl Show resolved Hide resolved
@gthess gthess merged commit 2e398d5 into master Sep 24, 2024
1 check passed
@gthess gthess deleted the bugfix/serve-expired-secstatus-servfail branch September 24, 2024 14:47
gthess added a commit that referenced this pull request Sep 24, 2024
@gthess
Changelog entry for #1143:
d88eeb4 
- Merge #1143: Fix cache update when serve expired is used. Expired
  records are favored over resolution and validation failures when
  serve-expired is used.
@gthess gthess mentioned this pull request Sep 24, 2024
Closed
jedisct1 added a commit to jedisct1/unbound that referenced this pull request Sep 26, 2024
@jedisct1
Merge remote-tracking branch 'nlnet/master'
3011e03 
* nlnet/master:
  - Fix NLnetLabs#1144: [FR] log timestamps in ISO8601 format with timezone.   This adds the option `log-time-iso: yes` that logs in ISO8601   format.
  Changelog entry for NLnetLabs#1143: - Merge NLnetLabs#1143: Fix cache update when serve expired is used. Expired   records are favored over resolution and validation failures when   serve-expired is used.
  Fix cache update when serve expired is used (NLnetLabs#1143)
  - More clear text for prefetch and minimal-responses in the   unbound.conf man page.
  - Attempt to further fix doh_downstream_buffer_size.tdir flakiness.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wcawijngaards wcawijngaards wcawijngaards approved these changes

Assignees

@gthess gthess

Labels
None yet
Projects
None yet
Milestone
1.22.0
Development

Successfully merging this pull request may close these issues.

serve expired fails when DNSSEC is enabled
2 participants
@gthess @wcawijngaards