auth-can-lower-ttl setting appears to have no effect #88

Closed
Habbie opened this Issue Apr 26, 2013 · 3 comments

Projects

None yet

1 participant

@Habbie
Member
Habbie commented Apr 26, 2013

The "auth-can-lower-ttl" setting for the recursor appears to have no affect. Regardless of the setting, the daemon appears to allow an authoritative server to lower (or raise, even) the TTL of an NS record (typically through the authoritative section of another query), i.e. as though this setting is always "on".

In versions porior to the introduction of this option, the daemon's behavior was as though this was "off".

For example, with 3.1.2:

[dgamble@dgamble ~]$ grep auth-can-lower-ttl /etc/powerdns/recursor.conf
# auth-can-lower-ttl    If we follow RFC 2181 to the letter, an authoritative server can lower the TTL of NS records
auth-can-lower-ttl=off
[dgamble@dgamble ~]$ dig +nocomments ns pvponline.com @localhost

; <<>> DiG 9.2.4 <<>> +nocomments ns pvponline.com @localhost
;; global options:  printcmd
;pvponline.com.                 IN      NS
pvponline.com.          172800  IN      NS      ns1.speakeasy.net.
pvponline.com.          172800  IN      NS      ns2.speakeasy.net.
ns1.speakeasy.net.      172800  IN      A       72.1.140.145
ns2.speakeasy.net.      3600    IN      A       216.231.41.19
;; Query time: 444 msec
;; SERVER: 127.0.0.1#53(localhost)
;; WHEN: Tue Jul 11 07:52:56 2006
;; MSG SIZE  rcvd: 112

[dgamble@dgamble ~]$ dig +nocomments ns pvponline.com @localhost

; <<>> DiG 9.2.4 <<>> +nocomments ns pvponline.com @localhost
;; global options:  printcmd
;pvponline.com.                 IN      NS
pvponline.com.          172796  IN      NS      ns2.speakeasy.net.
pvponline.com.          172796  IN      NS      ns1.speakeasy.net.
ns1.speakeasy.net.      172796  IN      A       72.1.140.145
ns2.speakeasy.net.      3596    IN      A       216.231.41.19
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(localhost)
;; WHEN: Tue Jul 11 07:53:00 2006
;; MSG SIZE  rcvd: 112

[dgamble@dgamble ~]$ dig +nocomments a www.pvponline.com @localhost

; <<>> DiG 9.2.4 <<>> +nocomments a www.pvponline.com @localhost
;; global options:  printcmd
;www.pvponline.com.             IN      A
www.pvponline.com.      3600    IN      CNAME   pvponline.com.
pvponline.com.          3600    IN      A       69.12.22.162
;; Query time: 47 msec
;; SERVER: 127.0.0.1#53(localhost)
;; WHEN: Tue Jul 11 07:53:06 2006
;; MSG SIZE  rcvd: 65

[dgamble@dgamble ~]$ dig +nocomments ns pvponline.com @localhost

; <<>> DiG 9.2.4 <<>> +nocomments ns pvponline.com @localhost
;; global options:  printcmd
;pvponline.com.                 IN      NS
pvponline.com.          3595    IN      NS      ns2.speakeasy.net.
pvponline.com.          3595    IN      NS      ns1.speakeasy.net.
ns2.speakeasy.net.      3585    IN      A       216.231.41.19
ns1.speakeasy.net.      172785  IN      A       72.1.140.145
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(localhost)
;; WHEN: Tue Jul 11 07:53:11 2006
;; MSG SIZE  rcvd: 112
@Habbie Habbie was assigned Apr 26, 2013
@Habbie Habbie closed this Apr 26, 2013
@Habbie
Member
Habbie commented Apr 26, 2013

Author: peter
Just confirmed that this is still an issue as of r2296.

@Habbie
Member
Habbie commented Apr 26, 2013

Author: peter
We will drop this setting for 3.5, fixing our behaviour to the 'on' case. A regression test will be included.

@Habbie
Member
Habbie commented Apr 26, 2013

Author: peter
flag dropped in r3092. The ghost-2 test should cover this case too; please let us know if you think we are still doing something wrong!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment