diff --git a/plugin/cache/cache.go b/plugin/cache/cache.go index 6dc6dc0a2..a2ae9a307 100644 --- a/plugin/cache/cache.go +++ b/plugin/cache/cache.go @@ -199,6 +199,18 @@ func (w *ResponseWriter) WriteMsg(res *dns.Msg) error { duration = computeTTL(msgTTL, w.minpttl, w.pttl) } + // Apply capped TTL to this reply to avoid jarring TTL experience 1799 -> 8 (e.g.) + ttl := uint32(duration.Seconds()) + res.Answer = filterRRSlice(res.Answer, ttl, false) + res.Ns = filterRRSlice(res.Ns, ttl, false) + res.Extra = filterRRSlice(res.Extra, ttl, false) + + if !w.do && !w.ad { + // unset AD bit if requester is not OK with DNSSEC + // But retain AD bit if requester set the AD bit in the request, per RFC6840 5.7-5.8 + res.AuthenticatedData = false + } + if hasKey && duration > 0 { if w.state.Match(res) { w.set(res, key, mt, duration) @@ -214,18 +226,6 @@ func (w *ResponseWriter) WriteMsg(res *dns.Msg) error { return nil } - // Apply capped TTL to this reply to avoid jarring TTL experience 1799 -> 8 (e.g.) - ttl := uint32(duration.Seconds()) - res.Answer = filterRRSlice(res.Answer, ttl, false) - res.Ns = filterRRSlice(res.Ns, ttl, false) - res.Extra = filterRRSlice(res.Extra, ttl, false) - - if !w.do && !w.ad { - // unset AD bit if requester is not OK with DNSSEC - // But retain AD bit if requester set the AD bit in the request, per RFC6840 5.7-5.8 - res.AuthenticatedData = false - } - return w.ResponseWriter.WriteMsg(res) }