+/* This is really gross. The successful return value from res_search() is
+the packet length, which is stored in dnsa->answerlen. If we get a
+negative DNS reply then res_search() returns -1, which causes the bounds
+checks for name decompression to fail when it is treated as a packet
+length, which in turn causes the authority search to fail. The correct
+packet length has been lost inside libresolv, so we have to guess a
+replacement value. (The only way to fix this properly would be to
+re-implement res_search() and res_query() so that they don't muddle their
+success and packet length return values.) For added safety we only reset
+the packet length if the packet header looks plausible. */
+
+static void
+fake_dnsa_len_for_fail(dns_answer * dnsa, int type)
+{
+const HEADER * h = (const HEADER *)dnsa->answer;
+
+if ( h->qr == 1 /* a response */
+ && h->opcode == QUERY
+ && h->tc == 0 /* nmessage not truncated */
+ && (h->rcode == NOERROR || h->rcode == NXDOMAIN)
+ && ( ntohs(h->qdcount) == 1 /* one question record */
+ || f.running_in_test_harness)
+ && ntohs(h->ancount) == 0 /* no answer records */
+ && ntohs(h->nscount) >= 1) /* authority records */
+ {
+ DEBUG(D_dns) debug_printf("faking res_search(%s) response length as %d\n",
+ dns_text_type(type), (int)sizeof(dnsa->answer));
+ dnsa->answerlen = sizeof(dnsa->answer);
+ }
+}
+
+
+/* Return the TTL suitable for an NXDOMAIN result, which is given
+in the SOA. We hope that one was returned in the lookup, and do not
+bother doing a separate lookup; if not found return a forever TTL.
+*/
+
+time_t
+dns_expire_from_soa(dns_answer * dnsa, int type)
+{
+dns_scan dnss;
+
+fake_dnsa_len_for_fail(dnsa, type);
+
+for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
+ rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
+ ) if (rr->type == T_SOA)
+ {
+ const uschar * p = rr->data;
+ uschar discard_buf[256];
+ int len;
+ unsigned long ttl;
+
+ /* Skip the mname & rname strings */
+
+ if ((len = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
+ p, (DN_EXPAND_ARG4_TYPE)discard_buf, 256)) < 0)
+ break;
+ p += len;
+ if ((len = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
+ p, (DN_EXPAND_ARG4_TYPE)discard_buf, 256)) < 0)
+ break;
+ p += len;
+
+ /* Skip the SOA serial, refresh, retry & expire. Grab the TTL */
+
+ if (p > dnsa->answer + dnsa->answerlen - 5 * INT32SZ)
+ break;
+ p += 4 * INT32SZ;
+ GETLONG(ttl, p);
+
+ return time(NULL) + ttl;
+ }
+DEBUG(D_dns) debug_printf("DNS: no SOA record found for neg-TTL\n");
+return 0;
+}
+
+