Affects Version/s: OpenDNSSEC 1.4.7
Fix Version/s: None
NetBSD/amd64 6.1.5, Zone transfer in, zone transfer out with OpenDNSSEC
with ref. to the e-mail thread on opendnssec-user with the subject
"TTL clamped to minimum 3600" (which was a misleading title), started
on January 20, it seems that the outgoing IXFR processing in the signer
will disregard TTL-only changes to the data, causing the previous TTL
on the downstream name server to "stick around", ref. the follow-up
message of January 22 in the same thread.
For a validating resolver this is not an issue, since the RRSIG contains the
"original TTL" value, and a validator must limit the TTL of the signed record
to the value in the RRSIG "original TTL" field.
However, a non-validating resolver just uses the TTL from the record as is,
and then the inability to propagate a TTL-only change through OpenDNSSEC
with IXFR becomes a problem, since a TTL-only change is typically used to
reduce the caching time just prior to an actual change of the data in the record,
so it's highly desireable that a TTL-only change should propagate.