[Opendnssec-develop] Re: Signer does not update TTL on RRs unless there is change in RDATA

Matthijs Mekking matthijs at NLnetLabs.nl
Mon Oct 3 09:23:19 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/30/2011 04:33 PM, Jerry Lundström wrote:
> Hi,
> 
> Patrik reported this problem today and its very easy to replicate in
> 1.3.2, just change the $TTL and issue a resign of the zone. Since there
> is no RDATA change the TTL does not get changed in the signed zone.

Hm yes: for the sake of comparing RRs, checking the TTL values should be
omitted.

> This is because util_dnssec_rrs_compare() uses ldns_rr_compare_wire()
> and that only checks for changes in RDATA.
> 
> Before I commit this fix that I've tested, I wanted to check if this can
> break anything else?

This indeed sets the new TTL on the RRs in the signed zone, but not yet
the RRSIG TTL and the Original TTL field. Although it is the same RR, a
new signature should be created as well (3.1.8.1.  Signature Calculation
[RFC4034]).

> I can't see if this is a problem in trunk since it seems that most of
> the rr/rrset code has been changed.

As far as I can see it, it also applies to trunk.

> /Jerry
> 
> Index: branches/OpenDNSSEC-1.3/signer/src/signer/rrset.c
> ===================================================================
> --- branches/OpenDNSSEC-1.3/signer/src/signer/rrset.c(revision 5654)
> +++ branches/OpenDNSSEC-1.3/signer/src/signer/rrset.c(working copy)
> @@ -474,6 +474,9 @@
>  
>              current = current->next;
>          } else { /* equal RRs */
> +        /* TTL is not compared in util_dnssec_rrs_compare() so we copy
> it */
> +        ldns_rr_set_ttl(current->rr, ldns_rr_ttl(pending->rr));
> +
>              /* remove pending RR */
>              if (!prev) {
>                  rrset->add = pending->next;
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOiX8GAAoJEA8yVCPsQCW5IdgH/RZAmnrO/7QxWXclRV8+GCvd
uJL3TezitPMMOdghcA851nSBe3JZ+0vJWcMmTZ3ca+Rear1U8oGSU1L5q2Oel0wB
fW7Gx91sguxV8V+7MNyyAJuvToFKr1FB2gFl3vAPJ16Boj4vkgzWafAVTrhHIKk+
VA+ss/QXJTV2W6QgGilsTraQPhlFjJpsxrDkO8fshCpQBv3nwewTn/kH3AqHqxxs
rqYYmveNDkyXtfgrDK6zCVi/NA/iK4vXrUlNvyY0N+XHcw3X1ipJLFXxYIoE049N
ZlAxxHDiQAgYl/3FPnSCvXHvXZ6SYv70sg7I1HAVeXBNRyr7JoOCikYlpWihoOw=
=gYWg
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list