--- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -6126,6 +6126,19 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, addedrdataset); return (ISC_R_SUCCESS); } + /* + * If we have will be replacing a NS RRset force its TTL + * to be no more than the current NS RRset's TTL. This + * ensures the delegations that are withdrawn are honoured. + */ + if (IS_CACHE(rbtdb) && header->rdh_ttl > now && + header->type == dns_rdatatype_ns && + !header_nx && !newheader_nx && + header->trust <= newheader->trust) { + if (newheader->rdh_ttl > header->rdh_ttl) { + newheader->rdh_ttl = header->rdh_ttl; + } + } if (IS_CACHE(rbtdb) && header->rdh_ttl > now && (header->type == dns_rdatatype_a || header->type == dns_rdatatype_aaaa) &&