On 04/26/2018 04:51 PM, Maurice Mahieu wrote: > Hello Berry, > > This is not what is happening in my case. ALso if I change a TTL of > an A record it doesn't get updated at all. Only if I do a "ods-signer > clear" the TTL gets update in the signed zone.
I haven't got a clear path where things got wrong, but I think I can confirm the issue as a real bug. It seems to be the latest release of 1.4 only. I need to check the 2.1 release, since that might differ. But I've not really been able to reproduce the issue, but far enough to confirm it. \Berry > Regards, > > Maurice > > > > On 25-04-18 11:02, Berry A.W. van Halderen wrote: >> On 04/24/2018 04:37 PM, Maurice Mahieu wrote: >>> Hello Mathieu, >>> When running a "ods-signer clear" the TTL indeed gets updated. But I >>> have to run it every every time before I run a "ods-signer sign". This >>> looks like a bug. >>> On 24-04-18 16:07, Mathieu Arnold wrote: >>>> On Tue, Apr 24, 2018 at 11:33:30AM +0000, Maurice Mahieu wrote: >>>>> I upgraded from opendnssec-1.4.8.2 to opendnssec >>>>> Met vriendelijke groet, >>>>> Maurice Mahieu >>>>> system engineer >>>>> Had anybody else experienced this behaviour ? >>>> I have, it was very annoying, and then, one day, after running >>>> ods-signer clear on all our zones, because of some other issue, that >>>> problem went away. >>>> >> There is a fBerry >> ix in a recent 1.4 version for handling problems in the >> input zone. When you have record set with the same name and type, >> but there are different TTLs on the multiple RRs in the set, then the >> TTL gets corrected. >> Note that it is incorrect to have different TTLs on these RRs, but in >> case this happens, what you do not want is to have bogus signatures. >> The fix should address this, but for pure code-technical problems >> it cannot choose the right TTL. This happens when you have got into >> the situation and later correct this in the input zone, in that >> case it still won't get the TTL right, but will keep all records >> correctly signed. >> So this isn't a full fix, but for 1.4 and 2.1 the improvement would >> mean a code revision that is too large for a maintenance branch, >> _given_ this is already a incorrect input file. >> >> Now, I hope this is what you have run into. In that case, the >> ods-zone sign/clear command will force the TTLs to be corrected. >> If the problem in the input file doesn't happen again, then >> you won't run into the problem again. >> >> Just to be sure I will perform a test, perhaps I can have a copy >> of your kasp.xml to make sure I mimick the specified TTLs in there. >> In 1.4 there is no MaxZoneTTL yet, otherwise this would also be >> a possible cause that will cap your TTLs. >> >> With kind regards, >> Berry van Halderen >> _______________________________________________ >> Opendnssec-user mailing list >> Opendnssec-user@lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > > > > > > > _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
