-
Type:
Bug
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: OpenDNSSEC 1.4.7
-
Fix Version/s: None
-
Component/s: Signer
-
Labels:None
-
Environment:
NetBSD/amd64 6.1.5, Zone transfer in, zone transfer out with OpenDNSSEC
Hi,
with ref. to the e-mail thread on opendnssec-user with the subject
"TTL clamped to minimum 3600" (which was a misleading title), started
on January 20, it seems that the outgoing IXFR processing in the signer
will disregard TTL-only changes to the data, causing the previous TTL
on the downstream name server to "stick around", ref. the follow-up
message of January 22 in the same thread.
For a validating resolver this is not an issue, since the RRSIG contains the
"original TTL" value, and a validator must limit the TTL of the signed record
to the value in the RRSIG "original TTL" field.
However, a non-validating resolver just uses the TTL from the record as is,
and then the inability to propagate a TTL-only change through OpenDNSSEC
with IXFR becomes a problem, since a TTL-only change is typically used to
reduce the caching time just prior to an actual change of the data in the record,
so it's highly desireable that a TTL-only change should propagate.