-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: OpenDNSSEC 1.4.10
-
Fix Version/s: None
-
Component/s: Signer
-
Labels:None
-
Environment:
FreeBSD 10.x
We’re seeing lots (and lots) of log entries where ODS is adjusting the TTL after an IXFR from the master. The TTL (or anything else) did not change on the master for these records. From what it, seems ODS is applying an adjustment to the wrong entries.
All our NS records are set to 86400, except for domains that have an non-existent delegation for operational reasons, which are set to 7200.
This is how it looks from the hidden master:
% dig @master ns somewrongdomain.dk
<snip>
;; AUTHORITY SECTION:
somewrongdomain.dk. 7200 IN NS NonExistent.dk-hostmaster.dk.
% dig @master ns somerightdomain.dk
<snip>
;; AUTHORITY SECTION:
somerightdomain.dk. 86400 IN NS ns1.somerightdomain.dk.
somerightdomain.dk. 86400 IN NS ns2.somerightdomain.dk.
And this is what ODS says about it:
Oct 5 11:03:41 signer ods-signerd: In zone file dk: TTL for the record ’somewrongdomain.dk. 7200 IN NS NonExistent.dk-hostmaster.dk.' set to 86400
Oct 5 11:03:41 signer ods-signerd: In zone file dk: TTL for the record ’somerightdomain.dk. 86400 IN NS ‘ns1.somerightnameserver.dk.' set to 7200
Oct 5 11:03:41 signer ods-signerd: In zone file dk: TTL for the record ’somerightdomain.dk. 86400 IN NS ‘ns2.somerightnameserver.dk.' set to 7200
This does not happen for every delegation and I have so far failed to find a pattern. It does seem to affect the same delegations over several weeks. About 60% of the nonexistent delegations are upgraded, while about 3% of right delegations are downgraded (of course, wildly different population sizes).
I don’t know if this is related to OPENDNSSEC-890, but in our case, the RR set has the same TTL for all records, and I see no reason why ODS should want to “improve” them.
- duplicates
-
-
- Resolved
-