[Opendnssec-user] opendnssec-1.4.14 signer ommits cistom TTL entries.

Berry A.W. van Halderen berry at nlnetlabs.nl
Wed Apr 25 09:02:27 UTC 2018

On 04/24/2018 04:37 PM, Maurice Mahieu wrote:
> Hello Mathieu,
> When running a "ods-signer clear" the TTL indeed gets updated. But I
> have to run it every every time before I run a "ods-signer sign". This
> looks like a bug.
> On 24-04-18 16:07, Mathieu Arnold wrote:
>> On Tue, Apr 24, 2018 at 11:33:30AM +0000, Maurice Mahieu wrote:
>>> I upgraded from opendnssec- to opendnssec
>>> Met vriendelijke groet,
>>> Maurice Mahieu
>>> system engineer
>>> Had anybody else experienced this behaviour ?
>> I have, it was very annoying, and then, one day, after running
>> ods-signer clear on all our zones, because of some other issue, that
>> problem went away.

There is a fix in a recent 1.4 version for handling problems in the
input zone.  When you have record set with the same name and type,
but there are different TTLs on the multiple RRs in the set, then the
TTL gets corrected.
Note that it is incorrect to have different TTLs on these RRs, but in
case this happens, what you do not want is to have bogus signatures.
The fix should address this, but for pure code-technical problems
it cannot choose the right TTL.  This happens when you have got into
the situation and later correct this in the input zone, in that
case it still won't get the TTL right, but will keep all records
correctly signed.
So this isn't a full fix, but for 1.4 and 2.1 the improvement would
mean a code revision that is too large for a maintenance branch,
_given_ this is already a incorrect input file.

Now, I hope this is what you have run into.  In that case, the
ods-zone sign/clear command will force the TTLs to be corrected.
If the problem in the input file doesn't happen again, then
you won't run into the problem again.

Just to be sure I will perform a test, perhaps I can have a copy
of your kasp.xml to make sure I mimick the specified TTLs in there.
In 1.4 there is no MaxZoneTTL yet, otherwise this would also be
a possible cause that will cap your TTLs.

With kind regards,
Berry van Halderen

More information about the Opendnssec-user mailing list