From a85cc41486d94d6c5e5116c63fa7ef1c9fd58925 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Mar 2019 12:04:42 +0100 Subject: [PATCH] Make ANSWER TTL capping checks stricter For checks querying a named instance with "dnssec-accept-expired yes;" set, authoritative responses have a TTL of 300 seconds. Assuming empty resolver cache, TTLs of RRsets in the ANSWER section of the first response to a given query will always match their authoritative counterparts. Also note that for a DNSSEC-validating named resolver, validated RRsets replace any existing non-validated RRsets with the same owner name and type, e.g. cached from responses received while resolving CD=1 queries. Since TTL capping happens before a validated RRset is inserted into the cache and RRSIG expiry time does not impose an upper TTL bound when "dnssec-accept-expired yes;" is set and, as pointed out above, the original TTLs of the relevant RRsets equal 300 seconds, the RRsets in the ANSWER section of the responses to expiring.example/SOA and expired.example/SOA queries sent with CD=0 should always be exactly 120 seconds, never a lower value. Make the relevant TTL checks stricter to reflect that. --- bin/tests/system/dnssec/tests.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 117fc0ca68..dda755f9a1 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2855,7 +2855,7 @@ for ttl in ${ttls:-0}; do [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 + [ "$ttl" -eq 120 ] || ret=1 done n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" @@ -2871,7 +2871,7 @@ for ttl in ${ttls:-0}; do [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 + [ "$ttl" -eq 120 ] || ret=1 done n=$((n+1)) test "$ret" -eq 0 || echo_i "failed"