On 04/24/2018 04:37 PM, Maurice Mahieu wrote: > Hello Mathieu, > When running a "ods-signer clear" the TTL indeed gets updated. But I > have to run it every every time before I run a "ods-signer sign". This > looks like a bug. > On 24-04-18 16:07, Mathieu Arnold wrote: >> On Tue, Apr 24, 2018 at 11:33:30AM +0000, Maurice Mahieu wrote: >>> I upgraded from opendnssec-1.4.8.2 to opendnssec >>> Met vriendelijke groet, >>> Maurice Mahieu >>> system engineer >>> Had anybody else experienced this behaviour ? >> I have, it was very annoying, and then, one day, after running >> ods-signer clear on all our zones, because of some other issue, that >> problem went away. >>
There is a fix in a recent 1.4 version for handling problems in the input zone. When you have record set with the same name and type, but there are different TTLs on the multiple RRs in the set, then the TTL gets corrected. Note that it is incorrect to have different TTLs on these RRs, but in case this happens, what you do not want is to have bogus signatures. The fix should address this, but for pure code-technical problems it cannot choose the right TTL. This happens when you have got into the situation and later correct this in the input zone, in that case it still won't get the TTL right, but will keep all records correctly signed. So this isn't a full fix, but for 1.4 and 2.1 the improvement would mean a code revision that is too large for a maintenance branch, _given_ this is already a incorrect input file. Now, I hope this is what you have run into. In that case, the ods-zone sign/clear command will force the TTLs to be corrected. If the problem in the input file doesn't happen again, then you won't run into the problem again. Just to be sure I will perform a test, perhaps I can have a copy of your kasp.xml to make sure I mimick the specified TTLs in there. In 1.4 there is no MaxZoneTTL yet, otherwise this would also be a possible cause that will cap your TTLs. With kind regards, Berry van Halderen _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
