Add feature to serve original TTLs rather than decrementing ones

cachedb/cachedb.c

@@ -465,6 +465,7 @@ packed_rrset_ttl_subtract(struct packed_rrset_data* data, time_t subtract)
 			data->rr_ttl[i] -= subtract;
 		else	data->rr_ttl[i] = 0;
 	}
+	data->ttl_add = 0;
 }
 
 /* Adjust the TTL of a DNS message and its RRs by 'adjust'.  If 'adjust' is

doc/unbound.conf.5.in

@@ -1124,6 +1124,18 @@ responding with expired data.  A recommended value per
 draft-ietf-dnsop-serve-stale-10 is 1800.  Setting this to 0 will disable this
 behavior.  Default is 0.
 .TP
+.B serve\-original\-ttl: \fI<yes or no>
+If enabled, unbound will always return the original TTL as received from
+the upstream authoritative name server rather than the decrementing TTL as
+stored in the cache.  This feature may be useful if unbound serves as a 
+front-end to a hidden authoritative name server. Enabling this feature does 
+not impact cache expiry, it only changes the TTL unbound embeds in responses to 
+queries. Note that the returned TTL is still subject to the
+configured maximum TTL as set using \fBcache\-max\-ttl\fR (defaults to
+86400 seconds). If you wish to return higher original TTL values, you may
+need to explicitly adjust the setting for \fBcache\-max\-ttl\fR. 
+Default is "no".
+.TP
 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
 List of keysize and iteration count values, separated by spaces, surrounded
 by quotes. Default is "1024 150 2048 500 4096 2500". This determines the

services/cache/rrset.c

@@ -45,6 +45,7 @@
 #include "util/config_file.h"
 #include "util/data/packed_rrset.h"
 #include "util/data/msgreply.h"
+#include "util/data/msgparse.h"
 #include "util/regional.h"
 #include "util/alloc.h"
 #include "util/net_help.h"
@@ -396,6 +397,7 @@ rrset_update_sec_status(struct rrset_cache* r,
 			cachedata->ttl = updata->ttl + now;
 			for(i=0; i<cachedata->count+cachedata->rrsig_count; i++)
 				cachedata->rr_ttl[i] = updata->rr_ttl[i]+now;
+			cachedata->ttl_add = now;
 		}
 	}
 	lock_rw_unlock(&e->lock);

util/config_file.c

@@ -250,6 +250,7 @@ config_create(void)
 	cfg->serve_expired_ttl_reset = 0;
 	cfg->serve_expired_reply_ttl = 30;
 	cfg->serve_expired_client_timeout = 0;
+	cfg->serve_original_ttl = 0;
 	cfg->add_holddown = 30*24*3600;
 	cfg->del_holddown = 30*24*3600;
 	cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */
@@ -604,6 +605,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else if(strcmp(opt, "serve-expired-reply-ttl:") == 0)
 	{ IS_NUMBER_OR_ZERO; cfg->serve_expired_reply_ttl = atoi(val); SERVE_EXPIRED_REPLY_TTL=(time_t)cfg->serve_expired_reply_ttl;}
 	else S_NUMBER_OR_ZERO("serve-expired-client-timeout:", serve_expired_client_timeout)
+	else S_YNO("serve-original-ttl:", serve_original_ttl)
 	else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations)
 	else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown)
 	else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown)
@@ -1008,6 +1010,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "serve-expired-ttl-reset", serve_expired_ttl_reset)
 	else O_DEC(opt, "serve-expired-reply-ttl", serve_expired_reply_ttl)
 	else O_DEC(opt, "serve-expired-client-timeout", serve_expired_client_timeout)
+	else O_YNO(opt, "serve-original-ttl", serve_original_ttl)
 	else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations)
 	else O_UNS(opt, "add-holddown", add_holddown)
 	else O_UNS(opt, "del-holddown", del_holddown)
@@ -2030,6 +2033,7 @@ config_apply(struct config_file* config)
 	SERVE_EXPIRED = config->serve_expired;
 	SERVE_EXPIRED_TTL = (time_t)config->serve_expired_ttl;
 	SERVE_EXPIRED_REPLY_TTL = (time_t)config->serve_expired_reply_ttl;
+	SERVE_ORIGINAL_TTL = config->serve_original_ttl;
 	MAX_NEG_TTL = (time_t)config->max_negative_ttl;
 	RTT_MIN_TIMEOUT = config->infra_cache_min_rtt;
 	EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size;

util/config_file.h

@@ -373,6 +373,8 @@ struct config_file {
 	/** serve expired entries only after trying to update the entries and this
 	 *  timeout (in milliseconds) is reached */
 	int serve_expired_client_timeout;
+	/** serve original TTLs rather than decrementing ones */
+	int serve_original_ttl;
 	/** nsec3 maximum iterations per key size, string */
 	char* val_nsec3_key_iterations;
 	/** autotrust add holddown time, in seconds */

util/configlexer.lex

@@ -374,6 +374,7 @@ serve-expired-ttl{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_TTL) }
 serve-expired-ttl-reset{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) }
 serve-expired-reply-ttl{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_REPLY_TTL) }
 serve-expired-client-timeout{COLON}	{ YDVAR(1, VAR_SERVE_EXPIRED_CLIENT_TIMEOUT) }
+serve-original-ttl{COLON}	{ YDVAR(1, VAR_SERVE_ORIGINAL_TTL) }
 fake-dsa{COLON}			{ YDVAR(1, VAR_FAKE_DSA) }
 fake-sha1{COLON}		{ YDVAR(1, VAR_FAKE_SHA1) }
 val-log-level{COLON}		{ YDVAR(1, VAR_VAL_LOG_LEVEL) }

util/configparser.h

@@ -1,9 +1,8 @@
-/* A Bison parser, made by GNU Bison 3.4.1.  */
+/* A Bison parser, made by GNU Bison 3.0.4.  */
 
 /* Bison interface for Yacc-like parsers in C
 
-   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation,
-   Inc.
+   Copyright (C) 1984, 1989-1990, 2000-2015 Free Software Foundation, Inc.
 
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -31,9 +30,6 @@
    This special exception was added by the Free Software Foundation in
    version 2.2 of Bison.  */
 
-/* Undocumented macros, especially those whose name start with YY_,
-   are private implementation details.  Do not rely on them.  */
-
 #ifndef YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
 # define YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
 /* Debug traces.  */
@@ -264,78 +260,79 @@ extern int yydebug;
     VAR_SERVE_EXPIRED_TTL_RESET = 470,
     VAR_SERVE_EXPIRED_REPLY_TTL = 471,
     VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 472,
-    VAR_FAKE_DSA = 473,
-    VAR_FAKE_SHA1 = 474,
-    VAR_LOG_IDENTITY = 475,
-    VAR_HIDE_TRUSTANCHOR = 476,
-    VAR_TRUST_ANCHOR_SIGNALING = 477,
-    VAR_AGGRESSIVE_NSEC = 478,
-    VAR_USE_SYSTEMD = 479,
-    VAR_SHM_ENABLE = 480,
-    VAR_SHM_KEY = 481,
-    VAR_ROOT_KEY_SENTINEL = 482,
-    VAR_DNSCRYPT = 483,
-    VAR_DNSCRYPT_ENABLE = 484,
-    VAR_DNSCRYPT_PORT = 485,
-    VAR_DNSCRYPT_PROVIDER = 486,
-    VAR_DNSCRYPT_SECRET_KEY = 487,
-    VAR_DNSCRYPT_PROVIDER_CERT = 488,
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 489,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 490,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 491,
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 492,
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 493,
-    VAR_IPSECMOD_ENABLED = 494,
-    VAR_IPSECMOD_HOOK = 495,
-    VAR_IPSECMOD_IGNORE_BOGUS = 496,
-    VAR_IPSECMOD_MAX_TTL = 497,
-    VAR_IPSECMOD_WHITELIST = 498,
-    VAR_IPSECMOD_STRICT = 499,
-    VAR_CACHEDB = 500,
-    VAR_CACHEDB_BACKEND = 501,
-    VAR_CACHEDB_SECRETSEED = 502,
-    VAR_CACHEDB_REDISHOST = 503,
-    VAR_CACHEDB_REDISPORT = 504,
-    VAR_CACHEDB_REDISTIMEOUT = 505,
-    VAR_CACHEDB_REDISEXPIRERECORDS = 506,
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 507,
-    VAR_FOR_UPSTREAM = 508,
-    VAR_AUTH_ZONE = 509,
-    VAR_ZONEFILE = 510,
-    VAR_MASTER = 511,
-    VAR_URL = 512,
-    VAR_FOR_DOWNSTREAM = 513,
-    VAR_FALLBACK_ENABLED = 514,
-    VAR_TLS_ADDITIONAL_PORT = 515,
-    VAR_LOW_RTT = 516,
-    VAR_LOW_RTT_PERMIL = 517,
-    VAR_FAST_SERVER_PERMIL = 518,
-    VAR_FAST_SERVER_NUM = 519,
-    VAR_ALLOW_NOTIFY = 520,
-    VAR_TLS_WIN_CERT = 521,
-    VAR_TCP_CONNECTION_LIMIT = 522,
-    VAR_FORWARD_NO_CACHE = 523,
-    VAR_STUB_NO_CACHE = 524,
-    VAR_LOG_SERVFAIL = 525,
-    VAR_DENY_ANY = 526,
-    VAR_UNKNOWN_SERVER_TIME_LIMIT = 527,
-    VAR_LOG_TAG_QUERYREPLY = 528,
-    VAR_STREAM_WAIT_SIZE = 529,
-    VAR_TLS_CIPHERS = 530,
-    VAR_TLS_CIPHERSUITES = 531,
-    VAR_TLS_USE_SNI = 532,
-    VAR_IPSET = 533,
-    VAR_IPSET_NAME_V4 = 534,
-    VAR_IPSET_NAME_V6 = 535,
-    VAR_TLS_SESSION_TICKET_KEYS = 536,
-    VAR_RPZ = 537,
-    VAR_TAGS = 538,
-    VAR_RPZ_ACTION_OVERRIDE = 539,
-    VAR_RPZ_CNAME_OVERRIDE = 540,
-    VAR_RPZ_LOG = 541,
-    VAR_RPZ_LOG_NAME = 542,
-    VAR_DYNLIB = 543,
-    VAR_DYNLIB_FILE = 544
+    VAR_SERVE_ORIGINAL_TTL = 473,
+    VAR_FAKE_DSA = 474,
+    VAR_FAKE_SHA1 = 475,
+    VAR_LOG_IDENTITY = 476,
+    VAR_HIDE_TRUSTANCHOR = 477,
+    VAR_TRUST_ANCHOR_SIGNALING = 478,
+    VAR_AGGRESSIVE_NSEC = 479,
+    VAR_USE_SYSTEMD = 480,
+    VAR_SHM_ENABLE = 481,
+    VAR_SHM_KEY = 482,
+    VAR_ROOT_KEY_SENTINEL = 483,
+    VAR_DNSCRYPT = 484,
+    VAR_DNSCRYPT_ENABLE = 485,
+    VAR_DNSCRYPT_PORT = 486,
+    VAR_DNSCRYPT_PROVIDER = 487,
+    VAR_DNSCRYPT_SECRET_KEY = 488,
+    VAR_DNSCRYPT_PROVIDER_CERT = 489,
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 490,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 491,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 492,
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 493,
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 494,
+    VAR_IPSECMOD_ENABLED = 495,
+    VAR_IPSECMOD_HOOK = 496,
+    VAR_IPSECMOD_IGNORE_BOGUS = 497,
+    VAR_IPSECMOD_MAX_TTL = 498,
+    VAR_IPSECMOD_WHITELIST = 499,
+    VAR_IPSECMOD_STRICT = 500,
+    VAR_CACHEDB = 501,
+    VAR_CACHEDB_BACKEND = 502,
+    VAR_CACHEDB_SECRETSEED = 503,
+    VAR_CACHEDB_REDISHOST = 504,
+    VAR_CACHEDB_REDISPORT = 505,
+    VAR_CACHEDB_REDISTIMEOUT = 506,
+    VAR_CACHEDB_REDISEXPIRERECORDS = 507,
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 508,
+    VAR_FOR_UPSTREAM = 509,
+    VAR_AUTH_ZONE = 510,
+    VAR_ZONEFILE = 511,
+    VAR_MASTER = 512,
+    VAR_URL = 513,
+    VAR_FOR_DOWNSTREAM = 514,
+    VAR_FALLBACK_ENABLED = 515,
+    VAR_TLS_ADDITIONAL_PORT = 516,
+    VAR_LOW_RTT = 517,
+    VAR_LOW_RTT_PERMIL = 518,
+    VAR_FAST_SERVER_PERMIL = 519,
+    VAR_FAST_SERVER_NUM = 520,
+    VAR_ALLOW_NOTIFY = 521,
+    VAR_TLS_WIN_CERT = 522,
+    VAR_TCP_CONNECTION_LIMIT = 523,
+    VAR_FORWARD_NO_CACHE = 524,
+    VAR_STUB_NO_CACHE = 525,
+    VAR_LOG_SERVFAIL = 526,
+    VAR_DENY_ANY = 527,
+    VAR_UNKNOWN_SERVER_TIME_LIMIT = 528,
+    VAR_LOG_TAG_QUERYREPLY = 529,
+    VAR_STREAM_WAIT_SIZE = 530,
+    VAR_TLS_CIPHERS = 531,
+    VAR_TLS_CIPHERSUITES = 532,
+    VAR_TLS_USE_SNI = 533,
+    VAR_IPSET = 534,
+    VAR_IPSET_NAME_V4 = 535,
+    VAR_IPSET_NAME_V6 = 536,
+    VAR_TLS_SESSION_TICKET_KEYS = 537,
+    VAR_RPZ = 538,
+    VAR_TAGS = 539,
+    VAR_RPZ_ACTION_OVERRIDE = 540,
+    VAR_RPZ_CNAME_OVERRIDE = 541,
+    VAR_RPZ_LOG = 542,
+    VAR_RPZ_LOG_NAME = 543,
+    VAR_DYNLIB = 544,
+    VAR_DYNLIB_FILE = 545
   };
 #endif
 /* Tokens.  */
@@ -554,90 +551,92 @@ extern int yydebug;
 #define VAR_SERVE_EXPIRED_TTL_RESET 470
 #define VAR_SERVE_EXPIRED_REPLY_TTL 471
 #define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 472
-#define VAR_FAKE_DSA 473
-#define VAR_FAKE_SHA1 474
-#define VAR_LOG_IDENTITY 475
-#define VAR_HIDE_TRUSTANCHOR 476
-#define VAR_TRUST_ANCHOR_SIGNALING 477
-#define VAR_AGGRESSIVE_NSEC 478
-#define VAR_USE_SYSTEMD 479
-#define VAR_SHM_ENABLE 480
-#define VAR_SHM_KEY 481
-#define VAR_ROOT_KEY_SENTINEL 482
-#define VAR_DNSCRYPT 483
-#define VAR_DNSCRYPT_ENABLE 484
-#define VAR_DNSCRYPT_PORT 485
-#define VAR_DNSCRYPT_PROVIDER 486
-#define VAR_DNSCRYPT_SECRET_KEY 487
-#define VAR_DNSCRYPT_PROVIDER_CERT 488
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 489
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 490
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 491
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 492
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 493
-#define VAR_IPSECMOD_ENABLED 494
-#define VAR_IPSECMOD_HOOK 495
-#define VAR_IPSECMOD_IGNORE_BOGUS 496
-#define VAR_IPSECMOD_MAX_TTL 497
-#define VAR_IPSECMOD_WHITELIST 498
-#define VAR_IPSECMOD_STRICT 499
-#define VAR_CACHEDB 500
-#define VAR_CACHEDB_BACKEND 501
-#define VAR_CACHEDB_SECRETSEED 502
-#define VAR_CACHEDB_REDISHOST 503
-#define VAR_CACHEDB_REDISPORT 504
-#define VAR_CACHEDB_REDISTIMEOUT 505
-#define VAR_CACHEDB_REDISEXPIRERECORDS 506
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 507
-#define VAR_FOR_UPSTREAM 508
-#define VAR_AUTH_ZONE 509
-#define VAR_ZONEFILE 510
-#define VAR_MASTER 511
-#define VAR_URL 512
-#define VAR_FOR_DOWNSTREAM 513
-#define VAR_FALLBACK_ENABLED 514
-#define VAR_TLS_ADDITIONAL_PORT 515
-#define VAR_LOW_RTT 516
-#define VAR_LOW_RTT_PERMIL 517
-#define VAR_FAST_SERVER_PERMIL 518
-#define VAR_FAST_SERVER_NUM 519
-#define VAR_ALLOW_NOTIFY 520
-#define VAR_TLS_WIN_CERT 521
-#define VAR_TCP_CONNECTION_LIMIT 522
-#define VAR_FORWARD_NO_CACHE 523
-#define VAR_STUB_NO_CACHE 524
-#define VAR_LOG_SERVFAIL 525
-#define VAR_DENY_ANY 526
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 527
-#define VAR_LOG_TAG_QUERYREPLY 528
-#define VAR_STREAM_WAIT_SIZE 529
-#define VAR_TLS_CIPHERS 530
-#define VAR_TLS_CIPHERSUITES 531
-#define VAR_TLS_USE_SNI 532
-#define VAR_IPSET 533
-#define VAR_IPSET_NAME_V4 534
-#define VAR_IPSET_NAME_V6 535
-#define VAR_TLS_SESSION_TICKET_KEYS 536
-#define VAR_RPZ 537
-#define VAR_TAGS 538
-#define VAR_RPZ_ACTION_OVERRIDE 539
-#define VAR_RPZ_CNAME_OVERRIDE 540
-#define VAR_RPZ_LOG 541
-#define VAR_RPZ_LOG_NAME 542
-#define VAR_DYNLIB 543
-#define VAR_DYNLIB_FILE 544
+#define VAR_SERVE_ORIGINAL_TTL 473
+#define VAR_FAKE_DSA 474
+#define VAR_FAKE_SHA1 475
+#define VAR_LOG_IDENTITY 476
+#define VAR_HIDE_TRUSTANCHOR 477
+#define VAR_TRUST_ANCHOR_SIGNALING 478
+#define VAR_AGGRESSIVE_NSEC 479
+#define VAR_USE_SYSTEMD 480
+#define VAR_SHM_ENABLE 481
+#define VAR_SHM_KEY 482
+#define VAR_ROOT_KEY_SENTINEL 483
+#define VAR_DNSCRYPT 484
+#define VAR_DNSCRYPT_ENABLE 485
+#define VAR_DNSCRYPT_PORT 486
+#define VAR_DNSCRYPT_PROVIDER 487
+#define VAR_DNSCRYPT_SECRET_KEY 488
+#define VAR_DNSCRYPT_PROVIDER_CERT 489
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 490
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 491
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 492
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 493
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 494
+#define VAR_IPSECMOD_ENABLED 495
+#define VAR_IPSECMOD_HOOK 496
+#define VAR_IPSECMOD_IGNORE_BOGUS 497
+#define VAR_IPSECMOD_MAX_TTL 498
+#define VAR_IPSECMOD_WHITELIST 499
+#define VAR_IPSECMOD_STRICT 500
+#define VAR_CACHEDB 501
+#define VAR_CACHEDB_BACKEND 502
+#define VAR_CACHEDB_SECRETSEED 503
+#define VAR_CACHEDB_REDISHOST 504
+#define VAR_CACHEDB_REDISPORT 505
+#define VAR_CACHEDB_REDISTIMEOUT 506
+#define VAR_CACHEDB_REDISEXPIRERECORDS 507
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 508
+#define VAR_FOR_UPSTREAM 509
+#define VAR_AUTH_ZONE 510
+#define VAR_ZONEFILE 511
+#define VAR_MASTER 512
+#define VAR_URL 513
+#define VAR_FOR_DOWNSTREAM 514
+#define VAR_FALLBACK_ENABLED 515
+#define VAR_TLS_ADDITIONAL_PORT 516
+#define VAR_LOW_RTT 517
+#define VAR_LOW_RTT_PERMIL 518
+#define VAR_FAST_SERVER_PERMIL 519
+#define VAR_FAST_SERVER_NUM 520
+#define VAR_ALLOW_NOTIFY 521
+#define VAR_TLS_WIN_CERT 522
+#define VAR_TCP_CONNECTION_LIMIT 523
+#define VAR_FORWARD_NO_CACHE 524
+#define VAR_STUB_NO_CACHE 525
+#define VAR_LOG_SERVFAIL 526
+#define VAR_DENY_ANY 527
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 528
+#define VAR_LOG_TAG_QUERYREPLY 529
+#define VAR_STREAM_WAIT_SIZE 530
+#define VAR_TLS_CIPHERS 531
+#define VAR_TLS_CIPHERSUITES 532
+#define VAR_TLS_USE_SNI 533
+#define VAR_IPSET 534
+#define VAR_IPSET_NAME_V4 535
+#define VAR_IPSET_NAME_V6 536
+#define VAR_TLS_SESSION_TICKET_KEYS 537
+#define VAR_RPZ 538
+#define VAR_TAGS 539
+#define VAR_RPZ_ACTION_OVERRIDE 540
+#define VAR_RPZ_CNAME_OVERRIDE 541
+#define VAR_RPZ_LOG 542
+#define VAR_RPZ_LOG_NAME 543
+#define VAR_DYNLIB 544
+#define VAR_DYNLIB_FILE 545
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
+
 union YYSTYPE
 {
-#line 66 "./util/configparser.y"
+#line 66 "./util/configparser.y" /* yacc.c:1909  */
 
 	char*	str;
 
-#line 639 "util/configparser.h"
-
+#line 638 "util/configparser.h" /* yacc.c:1909  */
 };
+
 typedef union YYSTYPE YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define YYSTYPE_IS_DECLARED 1

util/configparser.y

@@ -147,7 +147,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_ACCESS_CONTROL_TAG_DATA VAR_VIEW VAR_ACCESS_CONTROL_VIEW
 %token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_SERVE_EXPIRED_TTL
 %token VAR_SERVE_EXPIRED_TTL_RESET VAR_SERVE_EXPIRED_REPLY_TTL
-%token VAR_SERVE_EXPIRED_CLIENT_TIMEOUT VAR_FAKE_DSA
+%token VAR_SERVE_EXPIRED_CLIENT_TIMEOUT VAR_SERVE_ORIGINAL_TTL VAR_FAKE_DSA
 %token VAR_FAKE_SHA1 VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR
 %token VAR_TRUST_ANCHOR_SIGNALING VAR_AGGRESSIVE_NSEC VAR_USE_SYSTEMD
 %token VAR_SHM_ENABLE VAR_SHM_KEY VAR_ROOT_KEY_SENTINEL
@@ -264,7 +264,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_qname_minimisation_strict | server_serve_expired |
 	server_serve_expired_ttl | server_serve_expired_ttl_reset |
 	server_serve_expired_reply_ttl | server_serve_expired_client_timeout |
-	server_fake_dsa | server_log_identity | server_use_systemd |
+	server_serve_original_ttl | server_fake_dsa | 
+	server_log_identity | server_use_systemd |
 	server_response_ip_tag | server_response_ip | server_response_ip_data |
 	server_shm_enable | server_shm_key | server_fake_sha1 |
 	server_hide_trustanchor | server_trust_anchor_signaling |
@@ -1816,6 +1817,15 @@ server_serve_expired_client_timeout: VAR_SERVE_EXPIRED_CLIENT_TIMEOUT STRING_ARG
 		free($2);
 	}
 	;
+server_serve_original_ttl: VAR_SERVE_ORIGINAL_TTL STRING_ARG
+	{
+		OUTYY(("P(server_serve_original_ttl:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->serve_original_ttl = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_fake_dsa: VAR_FAKE_DSA STRING_ARG
 	{
 		OUTYY(("P(server_fake_dsa:%s)\n", $2));

util/data/msgencode.c

@@ -483,7 +483,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 				sldns_buffer_write_u32(pkt,
 					SERVE_EXPIRED?SERVE_EXPIRED_REPLY_TTL:0);
 			else 	sldns_buffer_write_u32(pkt, 
-					data->rr_ttl[j]-timenow);
+					data->rr_ttl[j]-(timenow == 0 ? 0 :
+						(SERVE_ORIGINAL_TTL ? 
+						data->ttl_add : timenow)));
 			if(c) {
 				if((r=compress_rdata(pkt, data->rr_data[j],
 					data->rr_len[j], region, tree, c))
@@ -521,7 +523,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 				sldns_buffer_write_u32(pkt,
 					SERVE_EXPIRED?SERVE_EXPIRED_REPLY_TTL:0);
 			else 	sldns_buffer_write_u32(pkt, 
-					data->rr_ttl[i]-timenow);
+					data->rr_ttl[i]-(timenow == 0 ? 0 :
+					(SERVE_ORIGINAL_TTL ? 
+						data->ttl_add : timenow)));
 			/* rrsig rdata cannot be compressed, perform 100+ byte
 			 * memcopy. */
 			sldns_buffer_write(pkt, data->rr_data[i],

util/data/msgparse.h

@@ -87,6 +87,8 @@ extern time_t SERVE_EXPIRED_TTL;
 extern time_t SERVE_EXPIRED_REPLY_TTL;
 /** Negative cache time (for entries without any RRs.) */
 #define NORR_TTL 5 /* seconds */
+/** If we serve the original TTL or decrementing TTLs */
+extern int SERVE_ORIGINAL_TTL;
 
 /**
  * Data stored in scratch pad memory during parsing.

util/data/msgreply.c

@@ -67,6 +67,8 @@ int SERVE_EXPIRED = 0;
 time_t SERVE_EXPIRED_TTL = 0;
 /** TTL to use for expired records */
 time_t SERVE_EXPIRED_REPLY_TTL = 30;
+/** If we serve the original TTL or decrementing TTLs */
+int SERVE_ORIGINAL_TTL = 0;
 
 /** allocate qinfo, return 0 on error */
 static int
@@ -526,6 +528,7 @@ reply_info_set_ttls(struct reply_info* rep, time_t timenow)
 		for(j=0; j<data->count + data->rrsig_count; j++) {
 			data->rr_ttl[j] += timenow;
 		}
+		data->ttl_add = timenow;
 	}
 }
 

util/data/packed_rrset.c

@@ -220,6 +220,7 @@ packed_rrset_ttl_add(struct packed_rrset_data* data, time_t add)
 {
 	size_t i;
 	size_t total = data->count + data->rrsig_count;
+	data->ttl_add = add;
 	data->ttl += add;
 	for(i=0; i<total; i++)
 		data->rr_ttl[i] += add;
@@ -286,7 +287,7 @@ int packed_rr_to_string(struct ub_packed_rrset_key* rrset, size_t i,
 	else	sldns_write_uint16(rr+rrset->rk.dname_len, LDNS_RR_TYPE_RRSIG);
 	memmove(rr+rrset->rk.dname_len+2, &rrset->rk.rrset_class, 2);
 	sldns_write_uint32(rr+rrset->rk.dname_len+4,
-		(uint32_t)(d->rr_ttl[i]-now));
+		(uint32_t)(d->rr_ttl[i]-(SERVE_ORIGINAL_TTL ? d->ttl_add : now)));
 	memmove(rr+rrset->rk.dname_len+8, d->rr_data[i], d->rr_len[i]);
 	if(sldns_wire2str_rr_buf(rr, rlen, dest, dest_len) == -1) {
 		log_info("rrbuf failure %d %s", (int)d->rr_len[i], dest);
@@ -353,11 +354,12 @@ packed_rrset_copy_region(struct ub_packed_rrset_key* key,
 	for(i=0; i<d->count + d->rrsig_count; i++) {
 		if(d->rr_ttl[i] < now)
 			d->rr_ttl[i] = SERVE_EXPIRED?SERVE_EXPIRED_REPLY_TTL:0;
-		else	d->rr_ttl[i] -= now;
+		else	d->rr_ttl[i] -= SERVE_ORIGINAL_TTL ? data->ttl_add : now;
 	}
 	if(d->ttl < now)
 		d->ttl = SERVE_EXPIRED?SERVE_EXPIRED_REPLY_TTL:0;
-	else	d->ttl -= now;
+	else	d->ttl -= SERVE_ORIGINAL_TTL ? data->ttl_add : now;
+	d->ttl_add = 0; /* TTLs have been made relative */
 	return ck;
 }
 

util/data/packed_rrset.h

@@ -233,6 +233,9 @@ enum sec_status {
  *	the ttl value to send changes due to time.
  */
 struct packed_rrset_data {
+	/** Timestamp added to TTLs in the packed data.
+	 * Needed to support serving original TTLs. */
+	time_t ttl_add;
 	/** TTL (in seconds like time()) of the rrset.
 	 * Same for all RRs see rfc2181(5.2).  */
 	time_t ttl;