Bug 542 - TTL value of RRSIG covering SOA in negative response
TTL value of RRSIG covering SOA in negative response
Status: RESOLVED FIXED
Product: NSD
Classification: Unclassified
Component: NSD Code
4.0.x
All All
: P5 minor
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-12-27 17:54 CET by Daisuke HIGASHI
Modified: 2014-01-08 14:53 CET (History)
1 user (show)

See Also:


Attachments
example.net zone file (4.41 KB, application/octet-stream)
2013-12-27 17:54 CET, Daisuke HIGASHI
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Daisuke HIGASHI 2013-12-27 17:54:10 CET
Created attachment 243 [details]
example.net zone file

RFC2308 specifies that SOA TTL in negative responses is
set to min(SOA MINIMUM, SOA TTL itself). NSD follows this
specification (cf. bug#103), however, does not modify
TTL value of the RRSIG that way.

  RRSIG TTL also shall be set to min(SOA-MINIMUM, SOA-TTL)
since RFC4034 specifies that the TTL value of an RRSIG RR MUST
match the TTL value of the RRset it covers.

  This issue may be harmless since RFC4035 specifies validator sets
its TTL to the smaller one.

** How to repeat

 1. Load a signed zone (example attached) which SOA MINIMUM is
    smaller than SOA/RRSIG TTL itself (900 < 86400).

  ----------
  $ORIGIN example.net.
  @  86400 IN SOA ns test 1 3600 1800 604800 900
     86400 IN RRSIG SOA ...
  ----------

 2. dig @::1 nonexistent.example.net +dnssec


*** NSD response ***

 > dig @::1 nonexistent.example.net +dnssec
 ;; AUTHORITY SECTION:                                                          
 example.net. 900   IN SOA   ...
 example.net. 86400 IN RRSIG ...
              ^^^


*** Expected response ***

 > dig @::1 nonexistent.example.net +dnssec

 ;; AUTHORITY SECTION:                                                          
 example.net. 900   IN SOA   ...
 example.net. 900   IN RRSIG ...
              ^^^
Comment 1 Matthijs Mekking 2014-01-08 14:53:44 CET
Hi, 

Thanks for your report. I have made a fix for this, please see r4115.