From 5633dc90d3f4d3e2bd4d461e07fcd8d611843e7f Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Wed, 26 Feb 2025 13:32:20 +0000 Subject: [PATCH] Fix TTL issue with ANY queries processed through RPZ "passthru" Answers to an "ANY" query which are processed by the RPZ "passthru" policy have the response-policy's 'max-policy-ttl' value unexpectedly applied. Do not change the records' TTL when RPZ uses a policy which does not alter the answer. --- lib/ns/query.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/ns/query.c b/lib/ns/query.c index 35193b9c17..2bc3fc45e9 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -7757,7 +7757,10 @@ query_respond_any(query_ctx_t *qctx) { } qctx->rpz_st = qctx->client->query.rpz_st; - if (qctx->rpz_st != NULL) { + if (qctx->rpz_st != NULL && + qctx->rpz_st->m.policy != DNS_RPZ_POLICY_MISS && + qctx->rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU) + { qctx->rdataset->ttl = ISC_MIN(qctx->rdataset->ttl, qctx->rpz_st->m.ttl);