[Opendnssec-user] TTL values through to signed zone?

Havard Eidnes he at uninett.no
Tue Dec 3 22:19:58 UTC 2019

> Hm.  Need to look at the source, I think.

...and the log:

Dec  3 22:16:20 signer-host ods-signerd: In zone file eduvpn.uninett.no: TTL for the record 'vpn.eduvpn.uninett.no. 600 IN A' set to 86400

This comes from zone_add_rr() in signer/zone.c:

    } else {
        record = rrset_add_rr(rrset, rr);
        if (ldns_rr_ttl(rr) != ldns_rr_ttl(rrset->rrs[0].rr)) {
            str = ldns_rr2str(rr);
            str[(strlen(str)) - 1] = '\0';
            for (i = 0; i < strlen(str); i++) {
                if (str[i] == '\t') {
                    str[i] = ' ';
            ods_log_error("In zone file %s: TTL for the record '%s' set to %d", zone->name, str, ldns_rr_ttl(rrset->rrs[0].rr));

I suspect this is code which is supposed to ensure that all the RRs in
an RRset has the same TTL (a correct goal to ensure).

Hm, I wonder...  This is a two-record RRset, but I suspect one record
is attempted to be replaced at a time, so ...  will I then ever be
able to reduce the TTL of the RRset, even if I do it simultaneously
for both of them in the original master zone?  (That's a rhetorical,
the answer appears to be "no".)  Or do I have to go the path via
having just one RR?  Or ... it actually looks like I had to go the
path via briefly having 0 RRs in the RRset; I now have the appropriate
TTL emitted after signature.

It appears to me that some operations internally in OpenDNSSEC really
should be on a "per RRset" basis, not just "per RR"(?)


- Håvard

More information about the Opendnssec-user mailing list