resolved: only cache answer RRs, never additional or authoritative RRs of responses

src/resolve/resolved-dns-cache.c

@@ -337,7 +337,7 @@ static int dns_cache_put_negative(DnsCache *c, DnsResourceKey *key, int rcode, u
         return 0;
 }
 
-int dns_cache_put(DnsCache *c, DnsQuestion *q, int rcode, DnsAnswer *answer, usec_t timestamp) {
+int dns_cache_put(DnsCache *c, DnsQuestion *q, int rcode, DnsAnswer *answer, unsigned max_rrs, usec_t timestamp) {
         unsigned i;
         int r;
 
@@ -365,7 +365,7 @@ int dns_cache_put(DnsCache *c, DnsQuestion *q, int rcode, DnsAnswer *answer, use
                 timestamp = now(CLOCK_MONOTONIC);
 
         /* Second, add in positive entries for all contained RRs */
-        for (i = 0; i < answer->n_rrs; i++) {
+        for (i = 0; i < MIN(max_rrs, answer->n_rrs); i++) {
                 r = dns_cache_put_positive(c, answer->rrs[i], timestamp);
                 if (r < 0)
                         goto fail;

src/resolve/resolved-dns-cache.h

@@ -40,5 +40,5 @@ typedef struct DnsCache {
 void dns_cache_flush(DnsCache *c);
 void dns_cache_prune(DnsCache *c);
 
-int dns_cache_put(DnsCache *c, DnsQuestion *q, int rcode, DnsAnswer *answer, usec_t timestamp);
+int dns_cache_put(DnsCache *c, DnsQuestion *q, int rcode, DnsAnswer *answer, unsigned max_rrs, usec_t timestamp);
 int dns_cache_lookup(DnsCache *c, DnsQuestion *q, int *rcode, DnsAnswer **answer);

src/resolve/resolved-dns-query.c

@@ -344,7 +344,8 @@ void dns_query_transaction_process_reply(DnsQueryTransaction *t, DnsPacket *p) {
                 return;
         }
 
-        dns_cache_put(&t->scope->cache, p->question, DNS_PACKET_RCODE(p), p->answer, 0);
+        /* According to RFC 4795, section 2.9. only the RRs from the answer section shall be cached */
+        dns_cache_put(&t->scope->cache, p->question, DNS_PACKET_RCODE(p), p->answer, DNS_PACKET_ANCOUNT(p), 0);
 
         if (DNS_PACKET_RCODE(p) == DNS_RCODE_SUCCESS)
                 dns_query_transaction_complete(t, DNS_QUERY_SUCCESS);