Opened 10 years ago

Closed 8 years ago

Last modified 8 years ago

#152 closed defect (complete)

Xfrin changes TTL for RRSIGs

Reported by: jreed Owned by: jinmei
Priority: medium Milestone:
Component: xfrin Version:
Keywords: Cc:
CVSS Scoring: Parent Tickets:
Sensitive: no Defect Severity: Medium
Sub-Project: DNS Feature Depending on Ticket:
Estimated Difficulty: 0.0 Add Hours to Ticket:
Total Hours: Internal?: no

Description

I used Xfrin retransfer to load a zone. The RRSIG and NSEC records TTLs on master are 90. The SOA minumum is 65. The RRSIG and NSEC records on slave became 65.

I understand this may be correct for NSEC. BIND 9 has same behaviour.

But all the RRSIG (even for signing non-NSEC records) got changed to 65 TTL too. That is not same behaviour I see in BIND 9.4.3-P3
(I need to upgrade that master).

(I didn't have the problem for SOA, TXT, NS, A, nor DNSKEY records.)

Subtickets

Change History (8)

comment:1 in reply to: ↑ description ; follow-up: Changed 10 years ago by jinmei

Replying to jreed:

I used Xfrin retransfer to load a zone. The RRSIG and NSEC records TTLs on master are 90. The SOA minumum is 65. The RRSIG and NSEC records on slave became 65.

I understand this may be correct for NSEC. BIND 9 has same behaviour.

But all the RRSIG (even for signing non-NSEC records) got changed to 65 TTL too. That is not same behaviour I see in BIND 9.4.3-P3
(I need to upgrade that master).

I can't reproduce this behavior.

I transferred my personal zone, jinmei.org, from 149.20.54.162, and asked the local bind10 secondary server for jinmei.org/SOA with +dnssec, I got:

;; ANSWER SECTION:
jinmei.org.		86400	IN	SOA	ns.jinmei.org. jinmei.kame.net. 2010040601 7200 3600 2592000 1200
jinmei.org.		86400	IN	RRSIG	SOA 5 2 86400 20100506224137 20100406224137 14331 jinmei.org. [sig]

Note that SOA minimum is 1200 and the TTL of the RRSIG is 86400.

I don't restrict zone transfer for my zone, so you can try it yourself.

comment:2 in reply to: ↑ 1 Changed 10 years ago by jinmei

I can't reproduce this behavior.

Okay, I now understand the problem.

MessageImpl::parseSection() combines RRSIGs with different covering types into a single RRset, adjusting TTLs. That's why all RRSIGs have the TTL of the RRSIG covering NSEC (which, in you case, should be the smallest TTL).

Meanwhile, RRset::addRRsig() resets RRSIG's TTL to the TTL of the covered RRset (I suspect this is a questionable behavior, but that's a separate issue). This is why I couldn't reproduce it via dig.

We'll have to fix it, but I'm not sure about the best way to fix this. BIND 9 treats RRSIG as a special case in many places of the code and it has a lot of conditional statements like:

if (rdtype == dns_rdatatype_rrsig) {
    /* do some special thing with its "covers", etc */
}

We could do the same thing, but IMO this is very error prone. I'll think about other possibilities to see whether we can handle all RRtypes (including RRSIG) more transparently, while still dealing with the special semantics of some special RRtypes.

I'll think about it more.

comment:3 Changed 9 years ago by larissas

  • billable set to 0
  • Component changed from Unclassified to xfrin
  • Estimated Difficulty set to 0.0
  • Internal? unset
  • Milestone set to feature backlog item

comment:4 Changed 9 years ago by stephen

  • Milestone feature backlog item deleted

Milestone feature backlog item deleted

comment:5 follow-up: Changed 8 years ago by shane

  • Defect Severity set to Medium
  • Owner set to jinmei
  • Status changed from new to assigned
  • Sub-Project set to DNS

I think this is still a problem, but want to confirm. Jinmei, can you confirm or deny please! :)

comment:6 in reply to: ↑ 5 Changed 8 years ago by jinmei

  • Milestone set to New Tasks

Replying to shane:

I think this is still a problem, but want to confirm. Jinmei, can you confirm or deny please! :)

I now see the original problem description is unclear. But in any
case I don't think there's no TTL change issue in the latest xfrin
because we treat each RR separately.

MessageImpl::parseSection() would still need to consider RRSIG type
covered when it combines multiple RRSIGs into a single RRset. That
would go to a separate ticket.

comment:7 Changed 8 years ago by shane

  • Resolution set to complete
  • Status changed from assigned to closed

Okay, I've created a separate ticket for handling the specific issue of MessageImpl::parseSection(), which is #1689. Feel free to fix it if I haven't captured the essence of the problem.

comment:8 Changed 8 years ago by shane

  • Milestone New Tasks deleted
Note: See TracTickets for help on using tickets.