[Opendnssec-user] TTL values through to signed zone?

[Havard Eidnes]

> Hm.  Need to look at the source, I think.

...and the log:

Dec  3 22:16:20 signer-host ods-signerd: In zone file eduvpn.uninett.no: TTL for the record 'vpn.eduvpn.uninett.no. 600 IN A 158.38.2.19' set to 86400

This comes from zone_add_rr() in signer/zone.c:

    ...
    } else {
        record = rrset_add_rr(rrset, rr);
        ods_log_assert(record);
        ods_log_assert(record->rr);
        ods_log_assert(record->is_added);
        if (ldns_rr_ttl(rr) != ldns_rr_ttl(rrset->rrs[0].rr)) {
            str = ldns_rr2str(rr);
            str[(strlen(str)) - 1] = '\0';
            for (i = 0; i < strlen(str); i++) {
                if (str[i] == '\t') {
                    str[i] = ' ';
                }
            }
            ods_log_error("In zone file %s: TTL for the record '%s' set to %d", zone->name, str, ldns_rr_ttl(rrset->rrs[0].rr));
            LDNS_FREE(str);
            ldns_rr_set_ttl(rr,ldns_rr_ttl(rrset->rrs[0].rr));
        }
    }

I suspect this is code which is supposed to ensure that all the RRs in
an RRset has the same TTL (a correct goal to ensure).

Hm, I wonder...  This is a two-record RRset, but I suspect one record
is attempted to be replaced at a time, so ...  will I then ever be
able to reduce the TTL of the RRset, even if I do it simultaneously
for both of them in the original master zone?  (That's a rhetorical,
the answer appears to be "no".)  Or do I have to go the path via
having just one RR?  Or ... it actually looks like I had to go the
path via briefly having 0 RRs in the RRset; I now have the appropriate
TTL emitted after signature.

It appears to me that some operations internally in OpenDNSSEC really
should be on a "per RRset" basis, not just "per RR"(?)

Regards,

- Håvard