From 510977c476609f4c75ffb924deb5101556069761 Mon Sep 17 00:00:00 2001
From: Ville Vesilehto <ville@vesilehto.fi>
Date: Thu, 2 Apr 2026 00:20:15 +0300
Subject: [PATCH] fix(dnssec): avoid caching empty signing results (#7996)

---
 plugin/dnssec/cache_test.go | 16 ++++++++++++++++
 plugin/dnssec/dnssec.go     |  4 +++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/plugin/dnssec/cache_test.go b/plugin/dnssec/cache_test.go
index 64e5bd068..23acdbe78 100644
--- a/plugin/dnssec/cache_test.go
+++ b/plugin/dnssec/cache_test.go
@@ -59,6 +59,22 @@ func TestCacheNotValidExpired(t *testing.T) {
 	}
 }
 
+func TestCacheEmptySigsNotCached(t *testing.T) {
+	c := cache.New[[]dns.RR](defaultCap)
+	m := testMsg()
+	state := request.Request{Req: m, Zone: "miek.nl."}
+	k := hash(m.Answer)
+
+	// Create a Dnssec instance with no keys; sign() will produce no signatures.
+	d := New([]string{"miek.nl."}, []*DNSKEY{}, false, nil, c)
+	d.Sign(state, time.Now().UTC(), server)
+
+	_, ok := d.get(k, server)
+	if ok {
+		t.Errorf("Empty signatures should not be cached")
+	}
+}
+
 func TestCacheNotValidYet(t *testing.T) {
 	fPriv, rmPriv, _ := test.TempFile(".", privKey)
 	fPub, rmPub, _ := test.TempFile(".", pubKey)
diff --git a/plugin/dnssec/dnssec.go b/plugin/dnssec/dnssec.go
index 0b714a1af..2d9003f93 100644
--- a/plugin/dnssec/dnssec.go
+++ b/plugin/dnssec/dnssec.go
@@ -143,7 +143,9 @@ func (d Dnssec) sign(rrs []dns.RR, signerName string, ttl, incep, expir uint32,
 			}
 			sigs = append(sigs, sig)
 		}
-		d.set(k, sigs)
+		if len(sigs) > 0 {
+			d.set(k, sigs)
+		}
 		return sigs, nil
 	})
 	return sigs.([]dns.RR), err