[Opendnssec-develop] [OpenDNSSEC] #136: signer silently drops weird SOA refresh/retry values
OpenDNSSEC
owner-dnssec-trac at kirei.se
Fri May 28 07:41:14 UTC 2010
#136: signer silently drops weird SOA refresh/retry values
---------------------------------------------+------------------------------
Reporter: Tom Hendrikx <tom@…> | Owner: matthijs
Type: defect | Status: new
Priority: major | Component: Signer
Version: trunk | Keywords:
---------------------------------------------+------------------------------
Today I got notified about very low SOA refresh/retry/etc values in all of
my ods-signed zones. dig showed:
{{{
dig +short soa whyscream.net @217.149.194.147
a.ns.whyscream.net. admin.whyscream.net. 2010052601 1 30 4 3600
}}}
The ods-generated zone file contains these values also:
{{{
; Signed on 2010-05-26 17:53:05
whyscream.net. 3600 IN SOA a.ns.whyscream.net. admin.whyscream.net.
2010052601 1 30 4 3600
}}}
When I check the corresponding input file, it contains:
{{{
$ORIGIN whyscream.net.
@ IN SOA a.ns.whyscream.net. admin.whyscream.net. (
2010041901 ; serial YYYYMMDD**
1d ; refresh
30m ; retry
4w ; expire
1h ; negative caching TTL
)
}}}
When I review ods log files, I see no notifications regarding parse
errors/issues about these values. They are silently converted, but not
correctly ('1h' in input should yield '1h' or '3600' in output, but not
'1'). I did some RFC reading but did not find this syntax defined
somewhere, so I suspect it to be a widely-supported 'bindism' ;/
Suggested fix would be to either:[[BR]]
- support the syntax with w/h/m values in it, and use these (or their
converted-to-RFC-compliant) values in the output file[[BR]]
- throw an error about non-RFC syntax in input file, and abort signing
process
--
Ticket URL: <http://trac.opendnssec.org/ticket/136>
OpenDNSSEC <http://www.opendnssec.org/>
OpenDNSSEC
More information about the Opendnssec-develop
mailing list