<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello Berry, <br>
</p>
<p>This is not what is happening in my case. ALso if I change a
TTL of an A record it doesn't get updated at all. Only if I do a
"ods-signer clear" the TTL gets update in the signed zone. <br>
</p>
<p>Regards, <br>
</p>
<p>Maurice <br>
</p>
<pre wrap="">
</pre>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 25-04-18 11:02, Berry A.W. van
Halderen wrote:<br>
</div>
<blockquote type="cite"
cite="mid:c5f90236-0d2f-00a8-d47b-54bb2ec0c4c0@nlnetlabs.nl">
<pre wrap="">On 04/24/2018 04:37 PM, Maurice Mahieu wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello Mathieu,
When running a "ods-signer clear" the TTL indeed gets updated. But I
have to run it every every time before I run a "ods-signer sign". This
looks like a bug.
On 24-04-18 16:07, Mathieu Arnold wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Tue, Apr 24, 2018 at 11:33:30AM +0000, Maurice Mahieu wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I upgraded from opendnssec-1.4.8.2 to opendnssec
Met vriendelijke groet,
Maurice Mahieu
system engineer
Had anybody else experienced this behaviour ?
</pre>
</blockquote>
<pre wrap="">I have, it was very annoying, and then, one day, after running
ods-signer clear on all our zones, because of some other issue, that
problem went away.
</pre>
</blockquote>
</blockquote>
<pre wrap="">
There is a fBerry
ix in a recent 1.4 version for handling problems in the
input zone. When you have record set with the same name and type,
but there are different TTLs on the multiple RRs in the set, then the
TTL gets corrected.
Note that it is incorrect to have different TTLs on these RRs, but in
case this happens, what you do not want is to have bogus signatures.
The fix should address this, but for pure code-technical problems
it cannot choose the right TTL. This happens when you have got into
the situation and later correct this in the input zone, in that
case it still won't get the TTL right, but will keep all records
correctly signed.
So this isn't a full fix, but for 1.4 and 2.1 the improvement would
mean a code revision that is too large for a maintenance branch,
_given_ this is already a incorrect input file.
Now, I hope this is what you have run into. In that case, the
ods-zone sign/clear command will force the TTLs to be corrected.
If the problem in the input file doesn't happen again, then
you won't run into the problem again.
Just to be sure I will perform a test, perhaps I can have a copy
of your kasp.xml to make sure I mimick the specified TTLs in there.
In 1.4 there is no MaxZoneTTL yet, otherwise this would also be
a possible cause that will cap your TTLs.
With kind regards,
Berry van Halderen
_______________________________________________
Opendnssec-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a>
<a class="moz-txt-link-freetext" href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">
<table
style="color:#000000;font-family:helvetica;font-size:8pt;line-height:12pt;margin-left:-4px;padding:0;
text-decoration: none;">
<tbody>
<tr>
<td style="font-size:10pt;line-height:12pt;
padding-bottom:10pt;"><br>
</td>
</tr>
<tr>
<td
style="font-size:10pt;line-height:12pt;color:#ff5c5c;font-weight:bold;"><br>
</td>
</tr>
<tr>
<td
style="font-size:10pt;line-height:12pt;padding-bottom:10pt;"><br>
</td>
</tr>
<tr>
<td
style="font-size:10pt;line-height:12pt;padding-bottom:10pt;"><br>
</td>
</tr>
<tr>
<td style="font-size:10pt;line-height:16pt;padding-bottom:0;
padding-top: 3px;"><br>
</td>
</tr>
<tr>
<td
style="font-family:helvetica;font-size:10pt;line-height:12pt;color:#000;
padding-top: 0;"> <br>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>