resolved: refuse to cache ANY kind of pseudo-RR-type

2 files changed, 5 insertions, 5 deletions

diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c
index 393fee0356..8ce8a566f1 100644
--- a/src/resolve/dns-type.c
+++ b/src/resolve/dns-type.c
@@ -51,7 +51,7 @@ bool dns_type_is_pseudo(uint16_t type) {
          * but apparently entails all RR types that are not actually
          * stored as RRs on the server and should hence also not be
          * cached. We use this list primarily to validate NSEC type
-         * bitfields. */
+         * bitfields, and to verify what to cache. */
 
         return IN_SET(type,
                       0, /* A Pseudo RR type, according to RFC 2931 */
diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c
index 9ab44400bd..676fa08ffb 100644
--- a/src/resolve/resolved-dns-cache.c
+++ b/src/resolve/resolved-dns-cache.c
@@ -302,7 +302,7 @@ static int dns_cache_put_positive(
 
         if (rr->key->class == DNS_CLASS_ANY)
                 return 0;
-        if (rr->key->type == DNS_TYPE_ANY)
+        if (dns_type_is_pseudo(rr->key->type))
                 return 0;
 
         /* Entry exists already? Update TTL and timestamp */
@@ -370,9 +370,9 @@ static int dns_cache_put_negative(
 
         if (key->class == DNS_CLASS_ANY)
                 return 0;
-        if (key->type == DNS_TYPE_ANY)
-                /* This is particularly important to filter out as we use this as a
-                 * pseudo-type for NXDOMAIN entries */
+        if (dns_type_is_pseudo(key->type))
+                /* ANY is particularly important to filter out as we
+                 * use this as a pseudo-type for NXDOMAIN entries */
                 return 0;
         if (soa_ttl <= 0) {
                 if (log_get_max_level() >= LOG_DEBUG) {