Discussion:
[Opendnssec-user] opendnssec-1.4.14 signer ommits cistom TTL entries.
Maurice Mahieu
2018-04-24 11:33:30 UTC
Permalink
Hello,

I upgraded from opendnssec-1.4.8.2 to opendnssec-1.4.14 (  self compiled ).

This version doesn't process the  custom TTL's in DNS record lines from
the input zonefiles. The signed zonefile just contains the default TTL
for each record.

Had anybody else experienced this behaviour ?

Regards.

Maurice Mahieu

--
Mathieu Arnold
2018-04-24 14:07:33 UTC
Permalink
Post by Maurice Mahieu
Hello,
I upgraded from opendnssec-1.4.8.2 to opendnssec-1.4.14 (  self compiled ).
This version doesn't process the  custom TTL's in DNS record lines from the
input zonefiles. The signed zonefile just contains the default TTL for each
record.
Had anybody else experienced this behaviour ?
I have, it was very annoying, and then, one day, after running
ods-signer clear on all our zones, because of some other issue, that
problem went away.
--
Mathieu Arnold
Maurice Mahieu
2018-04-24 14:37:25 UTC
Permalink
Hello Mathieu,

When running a "ods-signer clear" the TTL indeed gets updated. But I
have to run it every every time before I run a "ods-signer sign". This
looks like a bug.

Regards,


Maurice
Post by Mathieu Arnold
Post by Maurice Mahieu
Hello,
I upgraded from opendnssec-1.4.8.2 to opendnssec
Met vriendelijke groet,
Maurice Mahieu
system engineer
<http://www.linkedin.com/in/maurice-mahieu-224a1821>  | +31 (0)20 530
9111 <tel:+31205309111>
info.nl <http://www.info.nl>
Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  | +31 (0)20 530
9100 <tel:+31205309100>
-1.4.14 (  self compiled ).
This version doesn't process the  custom TTL's in DNS record lines from the
input zonefiles. The signed zonefile just contains the default TTL for each
record.
Had anybody else experienced this behaviour ?
I have, it was very annoying, and then, one day, after running
ods-signer clear on all our zones, because of some other issue, that
problem went away.
--
Berry A.W. van Halderen
2018-04-25 09:02:27 UTC
Permalink
Post by Maurice Mahieu
Hello Mathieu,
When running a "ods-signer clear" the TTL indeed gets updated. But I
have to run it every every time before I run a "ods-signer sign". This
looks like a bug.
Post by Mathieu Arnold
Post by Maurice Mahieu
I upgraded from opendnssec-1.4.8.2 to opendnssec
Met vriendelijke groet,
Maurice Mahieu
system engineer
Had anybody else experienced this behaviour ?
I have, it was very annoying, and then, one day, after running
ods-signer clear on all our zones, because of some other issue, that
problem went away.
There is a fix in a recent 1.4 version for handling problems in the
input zone. When you have record set with the same name and type,
but there are different TTLs on the multiple RRs in the set, then the
TTL gets corrected.
Note that it is incorrect to have different TTLs on these RRs, but in
case this happens, what you do not want is to have bogus signatures.
The fix should address this, but for pure code-technical problems
it cannot choose the right TTL. This happens when you have got into
the situation and later correct this in the input zone, in that
case it still won't get the TTL right, but will keep all records
correctly signed.
So this isn't a full fix, but for 1.4 and 2.1 the improvement would
mean a code revision that is too large for a maintenance branch,
_given_ this is already a incorrect input file.

Now, I hope this is what you have run into. In that case, the
ods-zone sign/clear command will force the TTLs to be corrected.
If the problem in the input file doesn't happen again, then
you won't run into the problem again.

Just to be sure I will perform a test, perhaps I can have a copy
of your kasp.xml to make sure I mimick the specified TTLs in there.
In 1.4 there is no MaxZoneTTL yet, otherwise this would also be
a possible cause that will cap your TTLs.

With kind regards,
Berry van Halderen
Maurice Mahieu
2018-04-26 14:51:32 UTC
Permalink
Hello Berry,

This is not what is happening in my case. ALso if  I change a TTL  of
an  A record it doesn't get updated at all. Only if I do a "ods-signer
clear"  the TTL gets update in the signed zone.

Regards,

Maurice
Post by Maurice Mahieu
Hello Mathieu,
When running a "ods-signer clear" the TTL indeed gets updated. But I
have to run it every every time before I run a "ods-signer sign". This
looks like a bug.
Post by Mathieu Arnold
Post by Maurice Mahieu
I upgraded from opendnssec-1.4.8.2 to opendnssec
Met vriendelijke groet,
Maurice Mahieu
system engineer
Had anybody else experienced this behaviour ?
I have, it was very annoying, and then, one day, after running
ods-signer clear on all our zones, because of some other issue, that
problem went away.
There is a fBerry
ix in a recent 1.4 version for handling problems in the
input zone. When you have record set with the same name and type,
but there are different TTLs on the multiple RRs in the set, then the
TTL gets corrected.
Note that it is incorrect to have different TTLs on these RRs, but in
case this happens, what you do not want is to have bogus signatures.
The fix should address this, but for pure code-technical problems
it cannot choose the right TTL. This happens when you have got into
the situation and later correct this in the input zone, in that
case it still won't get the TTL right, but will keep all records
correctly signed.
So this isn't a full fix, but for 1.4 and 2.1 the improvement would
mean a code revision that is too large for a maintenance branch,
_given_ this is already a incorrect input file.
Now, I hope this is what you have run into. In that case, the
ods-zone sign/clear command will force the TTLs to be corrected.
If the problem in the input file doesn't happen again, then
you won't run into the problem again.
Just to be sure I will perform a test, perhaps I can have a copy
of your kasp.xml to make sure I mimick the specified TTLs in there.
In 1.4 there is no MaxZoneTTL yet, otherwise this would also be
a possible cause that will cap your TTLs.
With kind regards,
Berry van Halderen
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Berry A.W. van Halderen
2018-05-07 12:55:35 UTC
Permalink
Post by Maurice Mahieu
Hello Berry,
This is not what is happening in my case. ALso if  I change a TTL  of
an  A record it doesn't get updated at all. Only if I do a "ods-signer
clear"  the TTL gets update in the signed zone.
I haven't got a clear path where things got wrong, but I think I can
confirm the issue as a real bug. It seems to be the latest release of
1.4 only. I need to check the 2.1 release, since that might differ.
But I've not really been able to reproduce the issue, but far enough to
confirm it.

\Berry
Post by Maurice Mahieu
Regards,
Maurice
Post by Maurice Mahieu
Hello Mathieu,
When running a "ods-signer clear" the TTL indeed gets updated. But I
have to run it every every time before I run a "ods-signer sign". This
looks like a bug.
Post by Mathieu Arnold
Post by Maurice Mahieu
I upgraded from opendnssec-1.4.8.2 to opendnssec
Met vriendelijke groet,
Maurice Mahieu
system engineer
Had anybody else experienced this behaviour ?
I have, it was very annoying, and then, one day, after running
ods-signer clear on all our zones, because of some other issue, that
problem went away.
There is a fBerry
ix in a recent 1.4 version for handling problems in the
input zone. When you have record set with the same name and type,
but there are different TTLs on the multiple RRs in the set, then the
TTL gets corrected.
Note that it is incorrect to have different TTLs on these RRs, but in
case this happens, what you do not want is to have bogus signatures.
The fix should address this, but for pure code-technical problems
it cannot choose the right TTL. This happens when you have got into
the situation and later correct this in the input zone, in that
case it still won't get the TTL right, but will keep all records
correctly signed.
So this isn't a full fix, but for 1.4 and 2.1 the improvement would
mean a code revision that is too large for a maintenance branch,
_given_ this is already a incorrect input file.
Now, I hope this is what you have run into. In that case, the
ods-zone sign/clear command will force the TTLs to be corrected.
If the problem in the input file doesn't happen again, then
you won't run into the problem again.
Just to be sure I will perform a test, perhaps I can have a copy
of your kasp.xml to make sure I mimick the specified TTLs in there.
In 1.4 there is no MaxZoneTTL yet, otherwise this would also be
a possible cause that will cap your TTLs.
With kind regards,
Berry van Halderen
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Loading...