[Opendnssec-user] opendnssec-1.4.14 signer ommits cistom TTL entries.

Berry A.W. van Halderen berry at nlnetlabs.nl
Mon May 7 12:55:35 UTC 2018

On 04/26/2018 04:51 PM, Maurice Mahieu wrote:
> Hello Berry,
> This is not what is happening in my case. ALso if  I change a TTL  of
> an  A record it doesn't get updated at all. Only if I do a "ods-signer
> clear"  the TTL gets update in the signed zone.

I haven't got a clear path where things got wrong, but I think I can
confirm the issue as a real bug.  It seems to be the latest release of
1.4 only.  I need to check the 2.1 release, since that might differ.
But I've not really been able to reproduce the issue, but far enough to
confirm it.


> Regards,
> Maurice
> On 25-04-18 11:02, Berry A.W. van Halderen wrote:
>> On 04/24/2018 04:37 PM, Maurice Mahieu wrote:
>>> Hello Mathieu,
>>> When running a "ods-signer clear" the TTL indeed gets updated. But I
>>> have to run it every every time before I run a "ods-signer sign". This
>>> looks like a bug.
>>> On 24-04-18 16:07, Mathieu Arnold wrote:
>>>> On Tue, Apr 24, 2018 at 11:33:30AM +0000, Maurice Mahieu wrote:
>>>>> I upgraded from opendnssec- to opendnssec
>>>>> Met vriendelijke groet,
>>>>> Maurice Mahieu
>>>>> system engineer
>>>>> Had anybody else experienced this behaviour ?
>>>> I have, it was very annoying, and then, one day, after running
>>>> ods-signer clear on all our zones, because of some other issue, that
>>>> problem went away.
>> There is a fBerry 
>> ix in a recent 1.4 version for handling problems in the
>> input zone.  When you have record set with the same name and type,
>> but there are different TTLs on the multiple RRs in the set, then the
>> TTL gets corrected.
>> Note that it is incorrect to have different TTLs on these RRs, but in
>> case this happens, what you do not want is to have bogus signatures.
>> The fix should address this, but for pure code-technical problems
>> it cannot choose the right TTL.  This happens when you have got into
>> the situation and later correct this in the input zone, in that
>> case it still won't get the TTL right, but will keep all records
>> correctly signed.
>> So this isn't a full fix, but for 1.4 and 2.1 the improvement would
>> mean a code revision that is too large for a maintenance branch,
>> _given_ this is already a incorrect input file.
>> Now, I hope this is what you have run into.  In that case, the
>> ods-zone sign/clear command will force the TTLs to be corrected.
>> If the problem in the input file doesn't happen again, then
>> you won't run into the problem again.
>> Just to be sure I will perform a test, perhaps I can have a copy
>> of your kasp.xml to make sure I mimick the specified TTLs in there.
>> In 1.4 there is no MaxZoneTTL yet, otherwise this would also be
>> a possible cause that will cap your TTLs.
>> With kind regards,
>> Berry van Halderen
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list