git » debian:dnss » commit d19c4a3

diff --git a/internal/dnstox/resolver.go b/internal/dnstox/resolver.go
index 367f6cd..6b3cf49 100644
--- a/internal/dnstox/resolver.go
+++ b/internal/dnstox/resolver.go
@@ -406,7 +406,12 @@ func (c *cachingResolver) Maintain() {
 		for q, ans := range c.answer {
 			newTTL := getTTL(ans) - maintenancePeriod
 			if newTTL > 0 {
-				setTTL(ans, newTTL)
+				// Don't modify in place, create a copy and override.
+				// That way, we avoid races with users that have gotten a
+				// cached answer and are returning it.
+				newans := copyRRSlice(ans)
+				setTTL(newans, newTTL)
+				c.answer[q] = newans
 				continue
 			}
 
@@ -465,6 +470,14 @@ func setTTL(answer []dns.RR, newTTL time.Duration) {
 	}
 }
 
+func copyRRSlice(a []dns.RR) []dns.RR {
+	b := make([]dns.RR, 0, len(a))
+	for _, rr := range a {
+		b = append(b, dns.Copy(rr))
+	}
+	return b
+}
+
 func (c *cachingResolver) Query(r *dns.Msg, tr trace.Trace) (*dns.Msg, error) {
 	stats.cacheTotal.Add(1)