lib/cache: trim TTL of failing stashed packets

Vladimír Čunátrequested to merge
packet-SERVFAIL into master

In particular, in STUB mode (i.e. forwarding with dnssec:false + authoritative:false) if a SERVFAIL packet from upstream contained also records, this packet could be cached with long TTL.

This issue was reported by Qifan Zhang from Palo Alto Networks.

Additionally, let's apply our TTL limits for caching also to the max-age HTTP header sent in DoH replies.

Edited by Vladimír Čunát

Merge request reports