Merge branch 'rijswijk-orig_ttl'

cachedb/cachedb.c

@@ -465,6 +465,7 @@ packed_rrset_ttl_subtract(struct packed_rrset_data* data, time_t subtract)
 			data->rr_ttl[i] -= subtract;
 		else	data->rr_ttl[i] = 0;
 	}
+	data->ttl_add = (subtract < data->ttl_add) ? (data->ttl_add - subtract) : 0;
 }
 
 /* Adjust the TTL of a DNS message and its RRs by 'adjust'.  If 'adjust' is

dns64/dns64.c

@@ -727,7 +727,7 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
 		*dd_out = NULL;
 		return; /* integer overflow protection in alloc */
 	}
-	if (!(dd = *dd_out = regional_alloc(region,
+	if (!(dd = *dd_out = regional_alloc_zero(region,
 		  sizeof(struct packed_rrset_data)
 		  + fd->count * (sizeof(size_t) + sizeof(time_t) +
 			     sizeof(uint8_t*) + 2 + 16)))) {

doc/example.conf.in

@@ -598,6 +598,13 @@ server:
 	# A recommended value is 1800.
 	# serve-expired-client-timeout: 0
 
+	# Return the original TTL as received from the upstream name server rather
+	# than the decrementing TTL as stored in the cache.  Enabling this feature
+	# does not impact cache expiry, it only changes the TTL unbound embeds in
+	# responses to queries. Note that enabling this feature implicitly disables
+	# enforcement of the configured minimum and maximum TTL.
+	# serve-original-ttl: no
+
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
 	# val-log-level: 0

doc/unbound.conf.5.in

@@ -1186,6 +1186,19 @@ responding with expired data.  A recommended value per
 RFC 8767 is 1800.  Setting this to 0 will disable this
 behavior.  Default is 0.
 .TP
+.B serve\-original\-ttl: \fI<yes or no>
+If enabled, unbound will always return the original TTL as received from
+the upstream name server rather than the decrementing TTL as
+stored in the cache.  This feature may be useful if unbound serves as a 
+front-end to a hidden authoritative name server. Enabling this feature does 
+not impact cache expiry, it only changes the TTL unbound embeds in responses to 
+queries. Note that enabling this feature implicitly disables enforcement of
+the configured minimum and maximum TTL, as it is assumed users who enable this 
+feature do not want unbound to change the TTL obtained from an upstream server. 
+Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
+ignored.
+Default is "no".
+.TP
 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
 List of keysize and iteration count values, separated by spaces, surrounded
 by quotes. Default is "1024 150 2048 500 4096 2500". This determines the

respip/respip.c

@@ -523,7 +523,7 @@ copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region)
 			return NULL; /* guard against integer overflow */
 		dsize += data->rr_len[i];
 	}
-	d = regional_alloc(region, dsize);
+	d = regional_alloc_zero(region, dsize);
 	if(!d)
 		return NULL;
 	*d = *data;

services/cache/rrset.c

@@ -45,6 +45,7 @@
 #include "util/config_file.h"
 #include "util/data/packed_rrset.h"
 #include "util/data/msgreply.h"
+#include "util/data/msgparse.h"
 #include "util/regional.h"
 #include "util/alloc.h"
 #include "util/net_help.h"
@@ -396,6 +397,7 @@ rrset_update_sec_status(struct rrset_cache* r,
 			cachedata->ttl = updata->ttl + now;
 			for(i=0; i<cachedata->count+cachedata->rrsig_count; i++)
 				cachedata->rr_ttl[i] = updata->rr_ttl[i]+now;
+			cachedata->ttl_add = now;
 		}
 	}
 	lock_rw_unlock(&e->lock);

testdata/serve_original_ttl.rpl

@@ -0,0 +1,136 @@
+; config options
+server:
+	access-control: 127.0.0.1 allow_snoop
+	module-config: "validator iterator"
+	qname-minimisation: "no"
+	minimal-responses: no
+	serve-original-ttl: yes
+	cache-max-ttl: 1000
+	cache-min-ttl: 20
+	serve-expired: yes
+	serve-expired-reply-ttl: 123
+
+stub-zone:
+	name: "example.com"
+	stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-original-ttl
+; Scenario overview:
+; - query for example.com. IN A
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - query again after a couple seconds and check that we get the original TTL
+; (next steps are combination with serve-expired)
+; - query again after the TTL expired
+; - check that we get the expired cached answer with the original TTL
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com. 10 IN A 5.6.7.8
+		SECTION AUTHORITY
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer (should be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com. 10 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Wait a couple of seconds (< 10)
+STEP 11 TIME_PASSES ELAPSE 5
+
+; Query again
+STEP 20 QUERY
+ENTRY_BEGIN
+	REPLY
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got the cached answer with the original TTL
+; (Passively checks that minimum and maximum TTLs are ignored)
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  10 A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. 3600 NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. 3600 A 1.2.3.4
+ENTRY_END
+
+; Wait for the TTL to expire
+STEP 31 TIME_PASSES ELAPSE 3601
+
+; Query again
+STEP 40 QUERY
+ENTRY_BEGIN
+	REPLY
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got a stale answer with the original TTL
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  10 A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. A 1.2.3.4
+ENTRY_END
+
+; Give time for the pending query to get answered
+STEP 51 TRAFFIC
+
+SCENARIO_END

util/config_file.c

@@ -261,6 +261,7 @@ config_create(void)
 	cfg->serve_expired_ttl_reset = 0;
 	cfg->serve_expired_reply_ttl = 30;
 	cfg->serve_expired_client_timeout = 0;
+	cfg->serve_original_ttl = 0;
 	cfg->add_holddown = 30*24*3600;
 	cfg->del_holddown = 30*24*3600;
 	cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */
@@ -646,6 +647,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else if(strcmp(opt, "serve-expired-reply-ttl:") == 0)
 	{ IS_NUMBER_OR_ZERO; cfg->serve_expired_reply_ttl = atoi(val); SERVE_EXPIRED_REPLY_TTL=(time_t)cfg->serve_expired_reply_ttl;}
 	else S_NUMBER_OR_ZERO("serve-expired-client-timeout:", serve_expired_client_timeout)
+	else S_YNO("serve-original-ttl:", serve_original_ttl)
 	else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations)
 	else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown)
 	else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown)
@@ -1066,6 +1068,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "serve-expired-ttl-reset", serve_expired_ttl_reset)
 	else O_DEC(opt, "serve-expired-reply-ttl", serve_expired_reply_ttl)
 	else O_DEC(opt, "serve-expired-client-timeout", serve_expired_client_timeout)
+	else O_YNO(opt, "serve-original-ttl", serve_original_ttl)
 	else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations)
 	else O_UNS(opt, "add-holddown", add_holddown)
 	else O_UNS(opt, "del-holddown", del_holddown)
@@ -2126,6 +2129,7 @@ config_apply(struct config_file* config)
 	SERVE_EXPIRED = config->serve_expired;
 	SERVE_EXPIRED_TTL = (time_t)config->serve_expired_ttl;
 	SERVE_EXPIRED_REPLY_TTL = (time_t)config->serve_expired_reply_ttl;
+	SERVE_ORIGINAL_TTL = config->serve_original_ttl;
 	MAX_NEG_TTL = (time_t)config->max_negative_ttl;
 	RTT_MIN_TIMEOUT = config->infra_cache_min_rtt;
 	EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size;

util/config_file.h

@@ -392,6 +392,8 @@ struct config_file {
 	/** serve expired entries only after trying to update the entries and this
 	 *  timeout (in milliseconds) is reached */
 	int serve_expired_client_timeout;
+	/** serve original TTLs rather than decrementing ones */
+	int serve_original_ttl;
 	/** nsec3 maximum iterations per key size, string */
 	char* val_nsec3_key_iterations;
 	/** autotrust add holddown time, in seconds */

util/configlexer.lex

@@ -392,6 +392,7 @@ serve-expired-ttl{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_TTL) }
 serve-expired-ttl-reset{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) }
 serve-expired-reply-ttl{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_REPLY_TTL) }
 serve-expired-client-timeout{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_CLIENT_TIMEOUT) }
+serve-original-ttl{COLON}	{ YDVAR(1, VAR_SERVE_ORIGINAL_TTL) }
 fake-dsa{COLON}			{ YDVAR(1, VAR_FAKE_DSA) }
 fake-sha1{COLON}		{ YDVAR(1, VAR_FAKE_SHA1) }
 val-log-level{COLON}		{ YDVAR(1, VAR_VAL_LOG_LEVEL) }

util/configparser.h

@@ -1,4 +1,4 @@
-/* A Bison parser, made by GNU Bison 3.7.  */
+/* A Bison parser, made by GNU Bison 3.6.4.  */
 
 /* Bison interface for Yacc-like parsers in C
 
@@ -280,85 +280,86 @@ extern int yydebug;
     VAR_SERVE_EXPIRED_TTL_RESET = 481, /* VAR_SERVE_EXPIRED_TTL_RESET  */
     VAR_SERVE_EXPIRED_REPLY_TTL = 482, /* VAR_SERVE_EXPIRED_REPLY_TTL  */
     VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 483, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT  */
-    VAR_FAKE_DSA = 484,            /* VAR_FAKE_DSA  */
-    VAR_FAKE_SHA1 = 485,           /* VAR_FAKE_SHA1  */
-    VAR_LOG_IDENTITY = 486,        /* VAR_LOG_IDENTITY  */
-    VAR_HIDE_TRUSTANCHOR = 487,    /* VAR_HIDE_TRUSTANCHOR  */
-    VAR_TRUST_ANCHOR_SIGNALING = 488, /* VAR_TRUST_ANCHOR_SIGNALING  */
-    VAR_AGGRESSIVE_NSEC = 489,     /* VAR_AGGRESSIVE_NSEC  */
-    VAR_USE_SYSTEMD = 490,         /* VAR_USE_SYSTEMD  */
-    VAR_SHM_ENABLE = 491,          /* VAR_SHM_ENABLE  */
-    VAR_SHM_KEY = 492,             /* VAR_SHM_KEY  */
-    VAR_ROOT_KEY_SENTINEL = 493,   /* VAR_ROOT_KEY_SENTINEL  */
-    VAR_DNSCRYPT = 494,            /* VAR_DNSCRYPT  */
-    VAR_DNSCRYPT_ENABLE = 495,     /* VAR_DNSCRYPT_ENABLE  */
-    VAR_DNSCRYPT_PORT = 496,       /* VAR_DNSCRYPT_PORT  */
-    VAR_DNSCRYPT_PROVIDER = 497,   /* VAR_DNSCRYPT_PROVIDER  */
-    VAR_DNSCRYPT_SECRET_KEY = 498, /* VAR_DNSCRYPT_SECRET_KEY  */
-    VAR_DNSCRYPT_PROVIDER_CERT = 499, /* VAR_DNSCRYPT_PROVIDER_CERT  */
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 500, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED  */
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 501, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE  */
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 502, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS  */
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 503, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE  */
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 504, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS  */
-    VAR_PAD_RESPONSES = 505,       /* VAR_PAD_RESPONSES  */
-    VAR_PAD_RESPONSES_BLOCK_SIZE = 506, /* VAR_PAD_RESPONSES_BLOCK_SIZE  */
-    VAR_PAD_QUERIES = 507,         /* VAR_PAD_QUERIES  */
-    VAR_PAD_QUERIES_BLOCK_SIZE = 508, /* VAR_PAD_QUERIES_BLOCK_SIZE  */
-    VAR_IPSECMOD_ENABLED = 509,    /* VAR_IPSECMOD_ENABLED  */
-    VAR_IPSECMOD_HOOK = 510,       /* VAR_IPSECMOD_HOOK  */
-    VAR_IPSECMOD_IGNORE_BOGUS = 511, /* VAR_IPSECMOD_IGNORE_BOGUS  */
-    VAR_IPSECMOD_MAX_TTL = 512,    /* VAR_IPSECMOD_MAX_TTL  */
-    VAR_IPSECMOD_WHITELIST = 513,  /* VAR_IPSECMOD_WHITELIST  */
-    VAR_IPSECMOD_STRICT = 514,     /* VAR_IPSECMOD_STRICT  */
-    VAR_CACHEDB = 515,             /* VAR_CACHEDB  */
-    VAR_CACHEDB_BACKEND = 516,     /* VAR_CACHEDB_BACKEND  */
-    VAR_CACHEDB_SECRETSEED = 517,  /* VAR_CACHEDB_SECRETSEED  */
-    VAR_CACHEDB_REDISHOST = 518,   /* VAR_CACHEDB_REDISHOST  */
-    VAR_CACHEDB_REDISPORT = 519,   /* VAR_CACHEDB_REDISPORT  */
-    VAR_CACHEDB_REDISTIMEOUT = 520, /* VAR_CACHEDB_REDISTIMEOUT  */
-    VAR_CACHEDB_REDISEXPIRERECORDS = 521, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 522, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
-    VAR_FOR_UPSTREAM = 523,        /* VAR_FOR_UPSTREAM  */
-    VAR_AUTH_ZONE = 524,           /* VAR_AUTH_ZONE  */
-    VAR_ZONEFILE = 525,            /* VAR_ZONEFILE  */
-    VAR_MASTER = 526,              /* VAR_MASTER  */
-    VAR_URL = 527,                 /* VAR_URL  */
-    VAR_FOR_DOWNSTREAM = 528,      /* VAR_FOR_DOWNSTREAM  */
-    VAR_FALLBACK_ENABLED = 529,    /* VAR_FALLBACK_ENABLED  */
-    VAR_TLS_ADDITIONAL_PORT = 530, /* VAR_TLS_ADDITIONAL_PORT  */
-    VAR_LOW_RTT = 531,             /* VAR_LOW_RTT  */
-    VAR_LOW_RTT_PERMIL = 532,      /* VAR_LOW_RTT_PERMIL  */
-    VAR_FAST_SERVER_PERMIL = 533,  /* VAR_FAST_SERVER_PERMIL  */
-    VAR_FAST_SERVER_NUM = 534,     /* VAR_FAST_SERVER_NUM  */
-    VAR_ALLOW_NOTIFY = 535,        /* VAR_ALLOW_NOTIFY  */
-    VAR_TLS_WIN_CERT = 536,        /* VAR_TLS_WIN_CERT  */
-    VAR_TCP_CONNECTION_LIMIT = 537, /* VAR_TCP_CONNECTION_LIMIT  */
-    VAR_FORWARD_NO_CACHE = 538,    /* VAR_FORWARD_NO_CACHE  */
-    VAR_STUB_NO_CACHE = 539,       /* VAR_STUB_NO_CACHE  */
-    VAR_LOG_SERVFAIL = 540,        /* VAR_LOG_SERVFAIL  */
-    VAR_DENY_ANY = 541,            /* VAR_DENY_ANY  */
-    VAR_UNKNOWN_SERVER_TIME_LIMIT = 542, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
-    VAR_LOG_TAG_QUERYREPLY = 543,  /* VAR_LOG_TAG_QUERYREPLY  */
-    VAR_STREAM_WAIT_SIZE = 544,    /* VAR_STREAM_WAIT_SIZE  */
-    VAR_TLS_CIPHERS = 545,         /* VAR_TLS_CIPHERS  */
-    VAR_TLS_CIPHERSUITES = 546,    /* VAR_TLS_CIPHERSUITES  */
-    VAR_TLS_USE_SNI = 547,         /* VAR_TLS_USE_SNI  */
-    VAR_IPSET = 548,               /* VAR_IPSET  */
-    VAR_IPSET_NAME_V4 = 549,       /* VAR_IPSET_NAME_V4  */
-    VAR_IPSET_NAME_V6 = 550,       /* VAR_IPSET_NAME_V6  */
-    VAR_TLS_SESSION_TICKET_KEYS = 551, /* VAR_TLS_SESSION_TICKET_KEYS  */
-    VAR_RPZ = 552,                 /* VAR_RPZ  */
-    VAR_TAGS = 553,                /* VAR_TAGS  */
-    VAR_RPZ_ACTION_OVERRIDE = 554, /* VAR_RPZ_ACTION_OVERRIDE  */
-    VAR_RPZ_CNAME_OVERRIDE = 555,  /* VAR_RPZ_CNAME_OVERRIDE  */
-    VAR_RPZ_LOG = 556,             /* VAR_RPZ_LOG  */
-    VAR_RPZ_LOG_NAME = 557,        /* VAR_RPZ_LOG_NAME  */
-    VAR_DYNLIB = 558,              /* VAR_DYNLIB  */
-    VAR_DYNLIB_FILE = 559,         /* VAR_DYNLIB_FILE  */
-    VAR_EDNS_CLIENT_STRING = 560,  /* VAR_EDNS_CLIENT_STRING  */
-    VAR_EDNS_CLIENT_STRING_OPCODE = 561, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
-    VAR_NSID = 562                 /* VAR_NSID  */
+    VAR_SERVE_ORIGINAL_TTL = 484,  /* VAR_SERVE_ORIGINAL_TTL  */
+    VAR_FAKE_DSA = 485,            /* VAR_FAKE_DSA  */
+    VAR_FAKE_SHA1 = 486,           /* VAR_FAKE_SHA1  */
+    VAR_LOG_IDENTITY = 487,        /* VAR_LOG_IDENTITY  */
+    VAR_HIDE_TRUSTANCHOR = 488,    /* VAR_HIDE_TRUSTANCHOR  */
+    VAR_TRUST_ANCHOR_SIGNALING = 489, /* VAR_TRUST_ANCHOR_SIGNALING  */
+    VAR_AGGRESSIVE_NSEC = 490,     /* VAR_AGGRESSIVE_NSEC  */
+    VAR_USE_SYSTEMD = 491,         /* VAR_USE_SYSTEMD  */
+    VAR_SHM_ENABLE = 492,          /* VAR_SHM_ENABLE  */
+    VAR_SHM_KEY = 493,             /* VAR_SHM_KEY  */
+    VAR_ROOT_KEY_SENTINEL = 494,   /* VAR_ROOT_KEY_SENTINEL  */
+    VAR_DNSCRYPT = 495,            /* VAR_DNSCRYPT  */
+    VAR_DNSCRYPT_ENABLE = 496,     /* VAR_DNSCRYPT_ENABLE  */
+    VAR_DNSCRYPT_PORT = 497,       /* VAR_DNSCRYPT_PORT  */
+    VAR_DNSCRYPT_PROVIDER = 498,   /* VAR_DNSCRYPT_PROVIDER  */
+    VAR_DNSCRYPT_SECRET_KEY = 499, /* VAR_DNSCRYPT_SECRET_KEY  */
+    VAR_DNSCRYPT_PROVIDER_CERT = 500, /* VAR_DNSCRYPT_PROVIDER_CERT  */
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 501, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED  */
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 502, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE  */
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 503, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS  */
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 504, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE  */
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 505, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS  */
+    VAR_PAD_RESPONSES = 506,       /* VAR_PAD_RESPONSES  */
+    VAR_PAD_RESPONSES_BLOCK_SIZE = 507, /* VAR_PAD_RESPONSES_BLOCK_SIZE  */
+    VAR_PAD_QUERIES = 508,         /* VAR_PAD_QUERIES  */
+    VAR_PAD_QUERIES_BLOCK_SIZE = 509, /* VAR_PAD_QUERIES_BLOCK_SIZE  */
+    VAR_IPSECMOD_ENABLED = 510,    /* VAR_IPSECMOD_ENABLED  */
+    VAR_IPSECMOD_HOOK = 511,       /* VAR_IPSECMOD_HOOK  */
+    VAR_IPSECMOD_IGNORE_BOGUS = 512, /* VAR_IPSECMOD_IGNORE_BOGUS  */
+    VAR_IPSECMOD_MAX_TTL = 513,    /* VAR_IPSECMOD_MAX_TTL  */
+    VAR_IPSECMOD_WHITELIST = 514,  /* VAR_IPSECMOD_WHITELIST  */
+    VAR_IPSECMOD_STRICT = 515,     /* VAR_IPSECMOD_STRICT  */
+    VAR_CACHEDB = 516,             /* VAR_CACHEDB  */
+    VAR_CACHEDB_BACKEND = 517,     /* VAR_CACHEDB_BACKEND  */
+    VAR_CACHEDB_SECRETSEED = 518,  /* VAR_CACHEDB_SECRETSEED  */
+    VAR_CACHEDB_REDISHOST = 519,   /* VAR_CACHEDB_REDISHOST  */
+    VAR_CACHEDB_REDISPORT = 520,   /* VAR_CACHEDB_REDISPORT  */
+    VAR_CACHEDB_REDISTIMEOUT = 521, /* VAR_CACHEDB_REDISTIMEOUT  */
+    VAR_CACHEDB_REDISEXPIRERECORDS = 522, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 523, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
+    VAR_FOR_UPSTREAM = 524,        /* VAR_FOR_UPSTREAM  */
+    VAR_AUTH_ZONE = 525,           /* VAR_AUTH_ZONE  */
+    VAR_ZONEFILE = 526,            /* VAR_ZONEFILE  */
+    VAR_MASTER = 527,              /* VAR_MASTER  */
+    VAR_URL = 528,                 /* VAR_URL  */
+    VAR_FOR_DOWNSTREAM = 529,      /* VAR_FOR_DOWNSTREAM  */
+    VAR_FALLBACK_ENABLED = 530,    /* VAR_FALLBACK_ENABLED  */
+    VAR_TLS_ADDITIONAL_PORT = 531, /* VAR_TLS_ADDITIONAL_PORT  */
+    VAR_LOW_RTT = 532,             /* VAR_LOW_RTT  */
+    VAR_LOW_RTT_PERMIL = 533,      /* VAR_LOW_RTT_PERMIL  */
+    VAR_FAST_SERVER_PERMIL = 534,  /* VAR_FAST_SERVER_PERMIL  */
+    VAR_FAST_SERVER_NUM = 535,     /* VAR_FAST_SERVER_NUM  */
+    VAR_ALLOW_NOTIFY = 536,        /* VAR_ALLOW_NOTIFY  */
+    VAR_TLS_WIN_CERT = 537,        /* VAR_TLS_WIN_CERT  */
+    VAR_TCP_CONNECTION_LIMIT = 538, /* VAR_TCP_CONNECTION_LIMIT  */
+    VAR_FORWARD_NO_CACHE = 539,    /* VAR_FORWARD_NO_CACHE  */
+    VAR_STUB_NO_CACHE = 540,       /* VAR_STUB_NO_CACHE  */
+    VAR_LOG_SERVFAIL = 541,        /* VAR_LOG_SERVFAIL  */
+    VAR_DENY_ANY = 542,            /* VAR_DENY_ANY  */
+    VAR_UNKNOWN_SERVER_TIME_LIMIT = 543, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
+    VAR_LOG_TAG_QUERYREPLY = 544,  /* VAR_LOG_TAG_QUERYREPLY  */
+    VAR_STREAM_WAIT_SIZE = 545,    /* VAR_STREAM_WAIT_SIZE  */
+    VAR_TLS_CIPHERS = 546,         /* VAR_TLS_CIPHERS  */
+    VAR_TLS_CIPHERSUITES = 547,    /* VAR_TLS_CIPHERSUITES  */
+    VAR_TLS_USE_SNI = 548,         /* VAR_TLS_USE_SNI  */
+    VAR_IPSET = 549,               /* VAR_IPSET  */
+    VAR_IPSET_NAME_V4 = 550,       /* VAR_IPSET_NAME_V4  */
+    VAR_IPSET_NAME_V6 = 551,       /* VAR_IPSET_NAME_V6  */
+    VAR_TLS_SESSION_TICKET_KEYS = 552, /* VAR_TLS_SESSION_TICKET_KEYS  */
+    VAR_RPZ = 553,                 /* VAR_RPZ  */
+    VAR_TAGS = 554,                /* VAR_TAGS  */
+    VAR_RPZ_ACTION_OVERRIDE = 555, /* VAR_RPZ_ACTION_OVERRIDE  */
+    VAR_RPZ_CNAME_OVERRIDE = 556,  /* VAR_RPZ_CNAME_OVERRIDE  */
+    VAR_RPZ_LOG = 557,             /* VAR_RPZ_LOG  */
+    VAR_RPZ_LOG_NAME = 558,        /* VAR_RPZ_LOG_NAME  */
+    VAR_DYNLIB = 559,              /* VAR_DYNLIB  */
+    VAR_DYNLIB_FILE = 560,         /* VAR_DYNLIB_FILE  */
+    VAR_EDNS_CLIENT_STRING = 561,  /* VAR_EDNS_CLIENT_STRING  */
+    VAR_EDNS_CLIENT_STRING_OPCODE = 562, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
+    VAR_NSID = 563                 /* VAR_NSID  */
   };
   typedef enum yytokentype yytoken_kind_t;
 #endif
@@ -592,85 +593,86 @@ extern int yydebug;
 #define VAR_SERVE_EXPIRED_TTL_RESET 481
 #define VAR_SERVE_EXPIRED_REPLY_TTL 482
 #define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 483
-#define VAR_FAKE_DSA 484
-#define VAR_FAKE_SHA1 485
-#define VAR_LOG_IDENTITY 486
-#define VAR_HIDE_TRUSTANCHOR 487
-#define VAR_TRUST_ANCHOR_SIGNALING 488
-#define VAR_AGGRESSIVE_NSEC 489
-#define VAR_USE_SYSTEMD 490
-#define VAR_SHM_ENABLE 491
-#define VAR_SHM_KEY 492
-#define VAR_ROOT_KEY_SENTINEL 493
-#define VAR_DNSCRYPT 494
-#define VAR_DNSCRYPT_ENABLE 495
-#define VAR_DNSCRYPT_PORT 496
-#define VAR_DNSCRYPT_PROVIDER 497
-#define VAR_DNSCRYPT_SECRET_KEY 498
-#define VAR_DNSCRYPT_PROVIDER_CERT 499
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 500
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 501
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 502
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 503
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 504
-#define VAR_PAD_RESPONSES 505
-#define VAR_PAD_RESPONSES_BLOCK_SIZE 506
-#define VAR_PAD_QUERIES 507
-#define VAR_PAD_QUERIES_BLOCK_SIZE 508
-#define VAR_IPSECMOD_ENABLED 509
-#define VAR_IPSECMOD_HOOK 510
-#define VAR_IPSECMOD_IGNORE_BOGUS 511
-#define VAR_IPSECMOD_MAX_TTL 512
-#define VAR_IPSECMOD_WHITELIST 513
-#define VAR_IPSECMOD_STRICT 514
-#define VAR_CACHEDB 515
-#define VAR_CACHEDB_BACKEND 516
-#define VAR_CACHEDB_SECRETSEED 517
-#define VAR_CACHEDB_REDISHOST 518
-#define VAR_CACHEDB_REDISPORT 519
-#define VAR_CACHEDB_REDISTIMEOUT 520
-#define VAR_CACHEDB_REDISEXPIRERECORDS 521
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 522
-#define VAR_FOR_UPSTREAM 523
-#define VAR_AUTH_ZONE 524
-#define VAR_ZONEFILE 525
-#define VAR_MASTER 526
-#define VAR_URL 527
-#define VAR_FOR_DOWNSTREAM 528
-#define VAR_FALLBACK_ENABLED 529
-#define VAR_TLS_ADDITIONAL_PORT 530
-#define VAR_LOW_RTT 531
-#define VAR_LOW_RTT_PERMIL 532
-#define VAR_FAST_SERVER_PERMIL 533
-#define VAR_FAST_SERVER_NUM 534
-#define VAR_ALLOW_NOTIFY 535
-#define VAR_TLS_WIN_CERT 536
-#define VAR_TCP_CONNECTION_LIMIT 537
-#define VAR_FORWARD_NO_CACHE 538
-#define VAR_STUB_NO_CACHE 539
-#define VAR_LOG_SERVFAIL 540
-#define VAR_DENY_ANY 541
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 542
-#define VAR_LOG_TAG_QUERYREPLY 543
-#define VAR_STREAM_WAIT_SIZE 544
-#define VAR_TLS_CIPHERS 545
-#define VAR_TLS_CIPHERSUITES 546
-#define VAR_TLS_USE_SNI 547
-#define VAR_IPSET 548
-#define VAR_IPSET_NAME_V4 549
-#define VAR_IPSET_NAME_V6 550
-#define VAR_TLS_SESSION_TICKET_KEYS 551
-#define VAR_RPZ 552
-#define VAR_TAGS 553
-#define VAR_RPZ_ACTION_OVERRIDE 554
-#define VAR_RPZ_CNAME_OVERRIDE 555
-#define VAR_RPZ_LOG 556
-#define VAR_RPZ_LOG_NAME 557
-#define VAR_DYNLIB 558
-#define VAR_DYNLIB_FILE 559
-#define VAR_EDNS_CLIENT_STRING 560
-#define VAR_EDNS_CLIENT_STRING_OPCODE 561
-#define VAR_NSID 562
+#define VAR_SERVE_ORIGINAL_TTL 484
+#define VAR_FAKE_DSA 485
+#define VAR_FAKE_SHA1 486
+#define VAR_LOG_IDENTITY 487
+#define VAR_HIDE_TRUSTANCHOR 488
+#define VAR_TRUST_ANCHOR_SIGNALING 489
+#define VAR_AGGRESSIVE_NSEC 490
+#define VAR_USE_SYSTEMD 491
+#define VAR_SHM_ENABLE 492
+#define VAR_SHM_KEY 493
+#define VAR_ROOT_KEY_SENTINEL 494
+#define VAR_DNSCRYPT 495
+#define VAR_DNSCRYPT_ENABLE 496
+#define VAR_DNSCRYPT_PORT 497
+#define VAR_DNSCRYPT_PROVIDER 498
+#define VAR_DNSCRYPT_SECRET_KEY 499
+#define VAR_DNSCRYPT_PROVIDER_CERT 500
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 501
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 502
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 503
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 504
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 505
+#define VAR_PAD_RESPONSES 506
+#define VAR_PAD_RESPONSES_BLOCK_SIZE 507
+#define VAR_PAD_QUERIES 508
+#define VAR_PAD_QUERIES_BLOCK_SIZE 509
+#define VAR_IPSECMOD_ENABLED 510
+#define VAR_IPSECMOD_HOOK 511
+#define VAR_IPSECMOD_IGNORE_BOGUS 512
+#define VAR_IPSECMOD_MAX_TTL 513
+#define VAR_IPSECMOD_WHITELIST 514
+#define VAR_IPSECMOD_STRICT 515
+#define VAR_CACHEDB 516
+#define VAR_CACHEDB_BACKEND 517
+#define VAR_CACHEDB_SECRETSEED 518
+#define VAR_CACHEDB_REDISHOST 519
+#define VAR_CACHEDB_REDISPORT 520
+#define VAR_CACHEDB_REDISTIMEOUT 521
+#define VAR_CACHEDB_REDISEXPIRERECORDS 522
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 523
+#define VAR_FOR_UPSTREAM 524
+#define VAR_AUTH_ZONE 525
+#define VAR_ZONEFILE 526
+#define VAR_MASTER 527
+#define VAR_URL 528
+#define VAR_FOR_DOWNSTREAM 529
+#define VAR_FALLBACK_ENABLED 530
+#define VAR_TLS_ADDITIONAL_PORT 531
+#define VAR_LOW_RTT 532
+#define VAR_LOW_RTT_PERMIL 533
+#define VAR_FAST_SERVER_PERMIL 534
+#define VAR_FAST_SERVER_NUM 535
+#define VAR_ALLOW_NOTIFY 536
+#define VAR_TLS_WIN_CERT 537
+#define VAR_TCP_CONNECTION_LIMIT 538
+#define VAR_FORWARD_NO_CACHE 539
+#define VAR_STUB_NO_CACHE 540
+#define VAR_LOG_SERVFAIL 541
+#define VAR_DENY_ANY 542
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 543
+#define VAR_LOG_TAG_QUERYREPLY 544
+#define VAR_STREAM_WAIT_SIZE 545
+#define VAR_TLS_CIPHERS 546
+#define VAR_TLS_CIPHERSUITES 547
+#define VAR_TLS_USE_SNI 548
+#define VAR_IPSET 549
+#define VAR_IPSET_NAME_V4 550
+#define VAR_IPSET_NAME_V6 551
+#define VAR_TLS_SESSION_TICKET_KEYS 552
+#define VAR_RPZ 553
+#define VAR_TAGS 554
+#define VAR_RPZ_ACTION_OVERRIDE 555
+#define VAR_RPZ_CNAME_OVERRIDE 556
+#define VAR_RPZ_LOG 557
+#define VAR_RPZ_LOG_NAME 558
+#define VAR_DYNLIB 559
+#define VAR_DYNLIB_FILE 560
+#define VAR_EDNS_CLIENT_STRING 561
+#define VAR_EDNS_CLIENT_STRING_OPCODE 562
+#define VAR_NSID 563
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -680,7 +682,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 684 "util/configparser.h"
+#line 686 "util/configparser.h"
 
 };
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -151,7 +151,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_ACCESS_CONTROL_TAG_DATA VAR_VIEW VAR_ACCESS_CONTROL_VIEW
 %token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_SERVE_EXPIRED_TTL
 %token VAR_SERVE_EXPIRED_TTL_RESET VAR_SERVE_EXPIRED_REPLY_TTL
-%token VAR_SERVE_EXPIRED_CLIENT_TIMEOUT VAR_FAKE_DSA
+%token VAR_SERVE_EXPIRED_CLIENT_TIMEOUT VAR_SERVE_ORIGINAL_TTL VAR_FAKE_DSA
 %token VAR_FAKE_SHA1 VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR
 %token VAR_TRUST_ANCHOR_SIGNALING VAR_AGGRESSIVE_NSEC VAR_USE_SYSTEMD
 %token VAR_SHM_ENABLE VAR_SHM_KEY VAR_ROOT_KEY_SENTINEL
@@ -282,7 +282,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_serve_expired |
 	server_serve_expired_ttl | server_serve_expired_ttl_reset |
 	server_serve_expired_reply_ttl | server_serve_expired_client_timeout |
-	server_fake_dsa | server_log_identity | server_use_systemd |
+	server_serve_original_ttl | server_fake_dsa | 
+	server_log_identity | server_use_systemd |
 	server_response_ip_tag | server_response_ip | server_response_ip_data |
 	server_shm_enable | server_shm_key | server_fake_sha1 |
 	server_hide_trustanchor | server_trust_anchor_signaling |
@@ -1934,6 +1935,15 @@ server_serve_expired_client_timeout: VAR_SERVE_EXPIRED_CLIENT_TIMEOUT STRING_ARG
 		free($2);
 	}
 	;
+server_serve_original_ttl: VAR_SERVE_ORIGINAL_TTL STRING_ARG
+	{
+		OUTYY(("P(server_serve_original_ttl:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->serve_original_ttl = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_fake_dsa: VAR_FAKE_DSA STRING_ARG
 	{
 		OUTYY(("P(server_fake_dsa:%s)\n", $2));

util/data/msgencode.c

@@ -454,6 +454,7 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 	size_t i, j, owner_pos;
 	int r, owner_labs;
 	uint16_t owner_ptr = 0;
+	time_t adjust = 0;
 	struct packed_rrset_data* data = (struct packed_rrset_data*)
 		key->entry.data;
 	
@@ -464,9 +465,12 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 	owner_labs = dname_count_labels(key->rk.dname);
 	owner_pos = sldns_buffer_position(pkt);
 
-	/* For an rrset with a fixed TTL, use the rrset's TTL as given */
+	/** Determine relative time adjustment for TTL values.
+	 * For an rrset with a fixed TTL, use the rrset's TTL as given. */
 	if((key->rk.flags & PACKED_RRSET_FIXEDTTL) != 0)
-		timenow = 0;
+		adjust = 0;
+	else
+		adjust = SERVE_ORIGINAL_TTL ? data->ttl_add : timenow;
 
 	if(do_data) {
 		const sldns_rr_descriptor* c = type_rdata_compressable(key);
@@ -479,11 +483,10 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 				return r;
 			sldns_buffer_write(pkt, &key->rk.type, 2);
 			sldns_buffer_write(pkt, &key->rk.rrset_class, 2);
-			if(data->rr_ttl[j] < timenow)
+			if(data->rr_ttl[j] < adjust)
 				sldns_buffer_write_u32(pkt,
 					SERVE_EXPIRED?SERVE_EXPIRED_REPLY_TTL:0);
-			else 	sldns_buffer_write_u32(pkt, 
-					data->rr_ttl[j]-timenow);
+			else	sldns_buffer_write_u32(pkt, data->rr_ttl[j]-adjust);
 			if(c) {
 				if((r=compress_rdata(pkt, data->rr_data[j],
 					data->rr_len[j], region, tree, c))
@@ -517,11 +520,10 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 			}
 			sldns_buffer_write_u16(pkt, LDNS_RR_TYPE_RRSIG);
 			sldns_buffer_write(pkt, &key->rk.rrset_class, 2);
-			if(data->rr_ttl[i] < timenow)
+			if(data->rr_ttl[i] < adjust)
 				sldns_buffer_write_u32(pkt,
 					SERVE_EXPIRED?SERVE_EXPIRED_REPLY_TTL:0);
-			else 	sldns_buffer_write_u32(pkt, 
-					data->rr_ttl[i]-timenow);
+			else	sldns_buffer_write_u32(pkt, data->rr_ttl[i]-adjust);
 			/* rrsig rdata cannot be compressed, perform 100+ byte
 			 * memcopy. */
 			sldns_buffer_write(pkt, data->rr_data[i],

util/data/msgparse.h

@@ -87,6 +87,8 @@ extern time_t SERVE_EXPIRED_TTL;
 extern time_t SERVE_EXPIRED_REPLY_TTL;
 /** Negative cache time (for entries without any RRs.) */
 #define NORR_TTL 5 /* seconds */
+/** If we serve the original TTL or decrementing TTLs */
+extern int SERVE_ORIGINAL_TTL;
 
 /**
  * Data stored in scratch pad memory during parsing.

util/data/msgreply.c

@@ -67,6 +67,8 @@ int SERVE_EXPIRED = 0;
 time_t SERVE_EXPIRED_TTL = 0;
 /** TTL to use for expired records */
 time_t SERVE_EXPIRED_REPLY_TTL = 30;
+/** If we serve the original TTL or decrementing TTLs */
+int SERVE_ORIGINAL_TTL = 0;
 
 /** allocate qinfo, return 0 on error */
 static int
@@ -197,9 +199,9 @@ rdata_copy(sldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to,
 		if(*rr_ttl > MAX_NEG_TTL)
 			*rr_ttl = MAX_NEG_TTL;
 	}
-	if(*rr_ttl < MIN_TTL)
+	if(!SERVE_ORIGINAL_TTL && (*rr_ttl < MIN_TTL))
 		*rr_ttl = MIN_TTL;
-	if(*rr_ttl > MAX_TTL)
+	if(!SERVE_ORIGINAL_TTL && (*rr_ttl > MAX_TTL))
 		*rr_ttl = MAX_TTL;
 	if(*rr_ttl < data->ttl)
 		data->ttl = *rr_ttl;
@@ -321,8 +323,8 @@ parse_create_rrset(sldns_buffer* pkt, struct rrset_parse* pset,
 		(sizeof(size_t)+sizeof(uint8_t*)+sizeof(time_t)) + 
 		pset->size;
 	if(region)
-		*data = regional_alloc(region, s);
-	else	*data = malloc(s);
+		*data = regional_alloc_zero(region, s);
+	else	*data = calloc(1, s);
 	if(!*data)
 		return 0;
 	/* copy & decompress */
@@ -526,6 +528,7 @@ reply_info_set_ttls(struct reply_info* rep, time_t timenow)
 		for(j=0; j<data->count + data->rrsig_count; j++) {
 			data->rr_ttl[j] += timenow;
 		}
+		data->ttl_add = timenow;
 	}
 }
 

util/data/packed_rrset.c

@@ -220,6 +220,7 @@ packed_rrset_ttl_add(struct packed_rrset_data* data, time_t add)
 {
 	size_t i;
 	size_t total = data->count + data->rrsig_count;
+	data->ttl_add = add;
 	data->ttl += add;
 	for(i=0; i<total; i++)
 		data->rr_ttl[i] += add;
@@ -275,6 +276,7 @@ int packed_rr_to_string(struct ub_packed_rrset_key* rrset, size_t i,
 		entry.data;
 	uint8_t rr[65535];
 	size_t rlen = rrset->rk.dname_len + 2 + 2 + 4 + d->rr_len[i];
+	time_t adjust = 0;
 	log_assert(dest_len > 0 && dest);
 	if(rlen > dest_len) {
 		dest[0] = 0;
@@ -285,8 +287,10 @@ int packed_rr_to_string(struct ub_packed_rrset_key* rrset, size_t i,
 		memmove(rr+rrset->rk.dname_len, &rrset->rk.type, 2);
 	else	sldns_write_uint16(rr+rrset->rk.dname_len, LDNS_RR_TYPE_RRSIG);
 	memmove(rr+rrset->rk.dname_len+2, &rrset->rk.rrset_class, 2);
+	adjust = SERVE_ORIGINAL_TTL ? d->ttl_add : now;
+	if (d->rr_ttl[i] < adjust) adjust = d->rr_ttl[i]; /* Prevent negative TTL overflow */
 	sldns_write_uint32(rr+rrset->rk.dname_len+4,
-		(uint32_t)(d->rr_ttl[i]-now));
+		(uint32_t)(d->rr_ttl[i]-adjust));
 	memmove(rr+rrset->rk.dname_len+8, d->rr_data[i], d->rr_len[i]);
 	if(sldns_wire2str_rr_buf(rr, rlen, dest, dest_len) == -1) {
 		log_info("rrbuf failure %d %s", (int)d->rr_len[i], dest);
@@ -332,6 +336,7 @@ packed_rrset_copy_region(struct ub_packed_rrset_key* key,
 	struct packed_rrset_data* data = (struct packed_rrset_data*)
 		key->entry.data;
 	size_t dsize, i;
+	time_t adjust = 0;
 	if(!ck)
 		return NULL;
 	ck->id = key->id;
@@ -350,14 +355,16 @@ packed_rrset_copy_region(struct ub_packed_rrset_key* key,
 	ck->entry.data = d;
 	packed_rrset_ptr_fixup(d);
 	/* make TTLs relative - once per rrset */
+	adjust = SERVE_ORIGINAL_TTL ? data->ttl_add : now;
 	for(i=0; i<d->count + d->rrsig_count; i++) {
-		if(d->rr_ttl[i] < now)
+		if(d->rr_ttl[i] < adjust)
 			d->rr_ttl[i] = SERVE_EXPIRED?SERVE_EXPIRED_REPLY_TTL:0;
-		else	d->rr_ttl[i] -= now;
+		else	d->rr_ttl[i] -= adjust;
 	}
-	if(d->ttl < now)
+	if(d->ttl < adjust)
 		d->ttl = SERVE_EXPIRED?SERVE_EXPIRED_REPLY_TTL:0;
-	else	d->ttl -= now;
+	else	d->ttl -= adjust;
+	d->ttl_add = 0; /* TTLs have been made relative */
 	return ck;
 }
 

util/data/packed_rrset.h

@@ -233,6 +233,9 @@ enum sec_status {
  *	the ttl value to send changes due to time.
  */
 struct packed_rrset_data {
+	/** Timestamp added to TTLs in the packed data.
+	 * Needed to support serving original TTLs. */
+	time_t ttl_add;
 	/** TTL (in seconds like time()) of the rrset.
 	 * Same for all RRs see rfc2181(5.2).  */
 	time_t ttl;