- Fix in depth for serve-expired responses from cachedb, that it

wcawijngaards · wcawijngaards · commit 9ce52de6c105 · 2026-05-20T14:58:26.000+02:00
does not store bogus. Thanks to Qifan Zhang, Palo Alto Networks,
  for the report.
diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c
@@ -401,6 +401,12 @@ prep_data(struct module_qstate* qstate, struct sldns_buffer* buf)
 	   FLAGS_GET_RCODE(qstate->return_msg->rep->flags) !=
 		LDNS_RCODE_YXDOMAIN)
 		return 0;
+	/* Do not persist data the validator has not yet seen, or has rejected.
+	 * Otherwise an expired blob could maybe reach clients via
+	 * serve-expired. */
+	if(qstate->env->need_to_validate &&
+		qstate->return_msg->rep->security == sec_status_bogus)
+		return 0;
 	/* We don't store the reply if its TTL is 0. This is probably coming
 	 * from upstream and it is not meant to be stored. */
 	if(qstate->return_msg->rep->ttl == 0)
diff --git a/doc/Changelog b/doc/Changelog
@@ -35,6 +35,9 @@
 	- Unit test for CVE-2026-42959.
 	- Unit test for CVE-2026-40622.
 	- Unit test for CVE-2026-42960.
+	- Fix in depth for serve-expired responses from cachedb, that it
+	  does not store bogus. Thanks to Qifan Zhang, Palo Alto Networks,
+	  for the report.
 
 18 May 2026: Wouter
 	- Fix for mixed class referrals, the resolver uses the query
