Cache key isolation issue in recursive lookups #1502
Description
Recursor->recurse() supports passing a custom nameserver set, but the recursive cache key is only (name, type, class) (lib/Zonemaster/Engine/Recursor.pm, around lines 98-110). That means a result learned from a custom/untrusted nameserver context can be reused later by normal root-based recursion for the same qname/qtype/qclass. It would be safer if cache entries were scoped by resolver context (for example, root mode vs specific NS set), or if custom-NS recursion bypassed the shared cache.