[Opendnssec-user] opendnssec-1.4.14 signer ommits cistom TTL entries.

Maurice Mahieu maurice at info.nl
Thu Apr 26 14:51:32 UTC 2018

Hello Berry,

This is not what is happening in my case. ALso if  I change a TTL  of 
an  A record it doesn't get updated at all. Only if I do a "ods-signer 
clear"  the TTL gets update in the signed zone.



On 25-04-18 11:02, Berry A.W. van Halderen wrote:
> On 04/24/2018 04:37 PM, Maurice Mahieu wrote:
>> Hello Mathieu,
>> When running a "ods-signer clear" the TTL indeed gets updated. But I
>> have to run it every every time before I run a "ods-signer sign". This
>> looks like a bug.
>> On 24-04-18 16:07, Mathieu Arnold wrote:
>>> On Tue, Apr 24, 2018 at 11:33:30AM +0000, Maurice Mahieu wrote:
>>>> I upgraded from opendnssec- to opendnssec
>>>> Met vriendelijke groet,
>>>> Maurice Mahieu
>>>> system engineer
>>>> Had anybody else experienced this behaviour ?
>>> I have, it was very annoying, and then, one day, after running
>>> ods-signer clear on all our zones, because of some other issue, that
>>> problem went away.
> There is a fBerry
> ix in a recent 1.4 version for handling problems in the
> input zone.  When you have record set with the same name and type,
> but there are different TTLs on the multiple RRs in the set, then the
> TTL gets corrected.
> Note that it is incorrect to have different TTLs on these RRs, but in
> case this happens, what you do not want is to have bogus signatures.
> The fix should address this, but for pure code-technical problems
> it cannot choose the right TTL.  This happens when you have got into
> the situation and later correct this in the input zone, in that
> case it still won't get the TTL right, but will keep all records
> correctly signed.
> So this isn't a full fix, but for 1.4 and 2.1 the improvement would
> mean a code revision that is too large for a maintenance branch,
> _given_ this is already a incorrect input file.
> Now, I hope this is what you have run into.  In that case, the
> ods-zone sign/clear command will force the TTLs to be corrected.
> If the problem in the input file doesn't happen again, then
> you won't run into the problem again.
> Just to be sure I will perform a test, perhaps I can have a copy
> of your kasp.xml to make sure I mimick the specified TTLs in there.
> In 1.4 there is no MaxZoneTTL yet, otherwise this would also be
> a possible cause that will cap your TTLs.
> With kind regards,
> Berry van Halderen
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20180426/5dc3297b/attachment.htm>

More information about the Opendnssec-user mailing list