plugin/cache: cache now uses source query DNSSEC option for upstream refresh (#5671)

Signed-off-by: Grant Spence <gspence@redhat.com>

Signed-off-by: Grant Spence <gspence@redhat.com>

1 files changed, 18 insertions, 8 deletions

diff --git a/plugin/cache/cache.go b/plugin/cache/cache.go
index b4767937d..54f2587fa 100644
--- a/plugin/cache/cache.go
+++ b/plugin/cache/cache.go
@@ -76,7 +76,7 @@ func New() *Cache {
 // key returns key under which we store the item, -1 will be returned if we don't store the message.
 // Currently we do not cache Truncated, errors zone transfers or dynamic update messages.
 // qname holds the already lowercased qname.
-func key(qname string, m *dns.Msg, t response.Type) (bool, uint64) {
+func key(qname string, m *dns.Msg, t response.Type, do bool) (bool, uint64) {
 	// We don't store truncated responses.
 	if m.Truncated {
 		return false, 0
@@ -86,11 +86,21 @@ func key(qname string, m *dns.Msg, t response.Type) (bool, uint64) {
 		return false, 0
 	}
 
-	return true, hash(qname, m.Question[0].Qtype)
+	return true, hash(qname, m.Question[0].Qtype, do)
 }
 
-func hash(qname string, qtype uint16) uint64 {
+var one = []byte("1")
+var zero = []byte("0")
+
+func hash(qname string, qtype uint16, do bool) uint64 {
 	h := fnv.New64()
+
+	if do {
+		h.Write(one)
+	} else {
+		h.Write(zero)
+	}
+
 	h.Write([]byte{byte(qtype >> 8)})
 	h.Write([]byte{byte(qtype)})
 	h.Write([]byte(qname))
@@ -145,6 +155,7 @@ func newPrefetchResponseWriter(server string, state request.Request, c *Cache) *
 		Cache:          c,
 		state:          state,
 		server:         server,
+		do:             state.Do(),
 		prefetch:       true,
 		remoteAddr:     addr,
 	}
@@ -163,7 +174,7 @@ func (w *ResponseWriter) WriteMsg(res *dns.Msg) error {
 	mt, _ := response.Typify(res, w.now().UTC())
 
 	// key returns empty string for anything we don't want to cache.
-	hasKey, key := key(w.state.Name(), res, mt)
+	hasKey, key := key(w.state.Name(), res, mt, w.do)
 
 	msgTTL := dnsutil.MinimalTTL(res, mt)
 	var duration time.Duration
@@ -191,11 +202,10 @@ func (w *ResponseWriter) WriteMsg(res *dns.Msg) error {
 	}
 
 	// Apply capped TTL to this reply to avoid jarring TTL experience 1799 -> 8 (e.g.)
-	// We also may need to filter out DNSSEC records, see toMsg() for similar code.
 	ttl := uint32(duration.Seconds())
-	res.Answer = filterRRSlice(res.Answer, ttl, w.do, false)
-	res.Ns = filterRRSlice(res.Ns, ttl, w.do, false)
-	res.Extra = filterRRSlice(res.Extra, ttl, w.do, false)
+	res.Answer = filterRRSlice(res.Answer, ttl, false)
+	res.Ns = filterRRSlice(res.Ns, ttl, false)
+	res.Extra = filterRRSlice(res.Extra, ttl, false)
 
 	if !w.do && !w.ad {
 		// unset AD bit if requester is not OK with DNSSEC