proxy: imp doc

AdguardTeam · Oct 10, 2022 · 8d00f83 · 8d00f83
1 parent 673eb98
commit 8d00f83
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/proxy/proxy.go b/proxy/proxy.go
@@ -453,10 +453,9 @@ func (p *Proxy) Resolve(d *DNSContext) (err error) {
 	d.calcFlagsAndSize()
 
 	// Use cache only if it's enabled and the query doesn't use custom upstream.
-	// Also don't cache and don't lookup the cache for responses with DNSSEC
-	// checking disabled, just like Dnsmasq does.
-	//
-	// See https://github.com/imp/dnsmasq/blob/770bce967cfc9967273d0acfb3ea018fb7b17522/src/forward.c#L1169-L1172.
+	// Also don't lookup the cache for responses with DNSSEC checking disabled
+	// since only validated responses are cached and those may be not the
+	// desired result for user specifying CD flag.
 	cacheWorks := p.cache != nil && d.CustomUpstreamConfig == nil && !d.Req.CheckingDisabled
 	if cacheWorks {
 		if p.replyFromCache(d) {
@@ -474,6 +473,11 @@ func (p *Proxy) Resolve(d *DNSContext) (err error) {
 	var ok bool
 	ok, err = p.replyFromUpstream(d)
 
+	// Don't cache the responses having CD flag, just like Dnsmasq does.  It
+	// prevents the cache from being poisoned with unvalidated answers which may
+	// differ from validated ones.
+	//
+	// See https://github.com/imp/dnsmasq/blob/770bce967cfc9967273d0acfb3ea018fb7b17522/src/forward.c#L1169-L1172.
 	if cacheWorks && ok && !d.Res.CheckingDisabled {
 		// Cache the response with DNSSEC RRs.
 		p.cacheResp(d)