From ae5e03a94d240e73b50170a6a22cbd19a819d21a Mon Sep 17 00:00:00 2001
From: Sebastian Mayr <124872539+bn-smayr@users.noreply.github.com>
Date: Thu, 3 Jul 2025 04:39:46 +0200
Subject: [PATCH] fix(cache): data race when refreshing cached messages (#7398)

---
 plugin/cache/cache.go | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/plugin/cache/cache.go b/plugin/cache/cache.go
index 6dc6dc0a2..a2ae9a307 100644
--- a/plugin/cache/cache.go
+++ b/plugin/cache/cache.go
@@ -199,6 +199,18 @@ func (w *ResponseWriter) WriteMsg(res *dns.Msg) error {
 		duration = computeTTL(msgTTL, w.minpttl, w.pttl)
 	}
 
+	// Apply capped TTL to this reply to avoid jarring TTL experience 1799 -> 8 (e.g.)
+	ttl := uint32(duration.Seconds())
+	res.Answer = filterRRSlice(res.Answer, ttl, false)
+	res.Ns = filterRRSlice(res.Ns, ttl, false)
+	res.Extra = filterRRSlice(res.Extra, ttl, false)
+
+	if !w.do && !w.ad {
+		// unset AD bit if requester is not OK with DNSSEC
+		// But retain AD bit if requester set the AD bit in the request, per RFC6840 5.7-5.8
+		res.AuthenticatedData = false
+	}
+
 	if hasKey && duration > 0 {
 		if w.state.Match(res) {
 			w.set(res, key, mt, duration)
@@ -214,18 +226,6 @@ func (w *ResponseWriter) WriteMsg(res *dns.Msg) error {
 		return nil
 	}
 
-	// Apply capped TTL to this reply to avoid jarring TTL experience 1799 -> 8 (e.g.)
-	ttl := uint32(duration.Seconds())
-	res.Answer = filterRRSlice(res.Answer, ttl, false)
-	res.Ns = filterRRSlice(res.Ns, ttl, false)
-	res.Extra = filterRRSlice(res.Extra, ttl, false)
-
-	if !w.do && !w.ad {
-		// unset AD bit if requester is not OK with DNSSEC
-		// But retain AD bit if requester set the AD bit in the request, per RFC6840 5.7-5.8
-		res.AuthenticatedData = false
-	}
-
 	return w.ResponseWriter.WriteMsg(res)
 }