Fix bug with SOA records not updating correctly (#266)

Note that the SOA record is stored twice: once in the zones table (the
`authority` section of the `#zone{}` record), and another one as a
standalone RRSet in the typed records table. And then the resolution
algorithm would use the RRSet in the typed records table as the answer
for an explicit query to SOA records but the cached ones on the zone
record for any other query that required including SOA records. This
would be an issue for DNSSEC, because for example an NSEC answer would
include the RRSIG record of the _new_ SOA record, but with the _old_ SOA
record, hence triggering a validation failure.

Note that this code was available in v7, and it was lost just very unfortunately. The PR comes with a regression test.

Author: NelsonVides

src/zones/erldns_zone_cache.erl

@@ -505,7 +505,11 @@ delete_zone_rrset(ZoneName, Digest, RRFqdn, Type, Counter) ->
 update_zone_records_and_digest(ZLabels, RecordsCount, Digest) ->
     case find_zone_in_cache(ZLabels) of
         #zone{} = Zone ->
-            UpdatedZone = Zone#zone{version = Digest, record_count = RecordsCount},
+            UpdatedZone = Zone#zone{
+                version = Digest,
+                authority = get_records_by_name_and_type(Zone, ZLabels, ?DNS_TYPE_SOA),
+                record_count = RecordsCount
+            },
             true = insert_zone(UpdatedZone),
             ok;
         zone_not_found ->

test/zones_SUITE.erl

@@ -66,6 +66,7 @@ groups() ->
             is_record_name_in_zone_strict,
             put_zone,
             put_zone_rrset,
+            put_zone_rrset_fetch_soa_match,
             put_zone_rrset_records_count_with_existing_rrset,
             put_zone_rrset_records_count_with_new_rrset,
             put_zone_rrset_records_count_matches_cache,
@@ -738,6 +739,43 @@ put_zone_rrset(_) ->
     % There should be no change in record count
     ?assertEqual(ZoneBase#zone.record_count, ZoneModified#zone.record_count).
 
+put_zone_rrset_fetch_soa_match(_) ->
+    ZoneName = dns:dname_to_lower(~"put_zone_rrset_fetch_soa_match.com"),
+    SoaData = #dns_rrdata_soa{
+        mname = ~"ns1.put_zone_rrset_fetch_soa_match.com",
+        rname = ~"admin.put_zone_rrset_fetch_soa_match.com",
+        serial = 12345,
+        refresh = 555,
+        retry = 666,
+        expire = 777,
+        minimum = 888
+    },
+    SOA = #dns_rr{
+        name = ZoneName,
+        type = ?DNS_TYPE_SOA,
+        data = SoaData,
+        ttl = 3600
+    },
+    Z = erldns_zone_codec:build_zone(ZoneName, ~"Digest-01", [SOA], []),
+    ?assertMatch(ok, erldns_zone_cache:put_zone(Z)),
+    ZoneBase = erldns_zone_cache:get_authoritative_zone(ZoneName),
+    SoaRecordsInCache = erldns_zone_cache:get_records_by_name_and_type(ZoneName, ?DNS_TYPE_SOA),
+    ?assertMatch(SoaRecordsInCache, ZoneBase#zone.authority),
+    NewSoa = SOA#dns_rr{data = SoaData#dns_rrdata_soa{serial = 12346}},
+    ?assertMatch(
+        ok,
+        erldns_zone_cache:put_zone_rrset(
+            {ZoneName, ~"Digest-02", [NewSoa], []},
+            ~"put_zone_rrset_fetch_soa_match.com",
+            ?DNS_TYPE_SOA,
+            1
+        )
+    ),
+    ZoneModified = erldns_zone_cache:get_authoritative_zone(ZoneName),
+    NewSoaRecordsInCache = erldns_zone_cache:get_records_by_name_and_type(ZoneName, ?DNS_TYPE_SOA),
+    Comment = #{soa_in_zone => ZoneModified#zone.authority, soa_in_cache => NewSoaRecordsInCache},
+    ?assertMatch(NewSoaRecordsInCache, ZoneModified#zone.authority, Comment).
+
 put_zone_rrset_records_count_with_existing_rrset(_) ->
     ZoneName = dns:dname_to_lower(~"example.com"),
     ZoneLabels = dns:dname_to_labels(ZoneName),