Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rec: Uncached RRSIG TTL not clamped to max-cache-ttl #9193

Closed
mnordhoff opened this issue Jun 3, 2020 · 0 comments · Fixed by #9205
Closed

rec: Uncached RRSIG TTL not clamped to max-cache-ttl #9193

mnordhoff opened this issue Jun 3, 2020 · 0 comments · Fixed by #9205
Labels
defect rec

Comments

@mnordhoff
Copy link
Contributor

mnordhoff commented Jun 3, 2020
edited

  • Program: Recursor
  • Issue type: Bug report

Short description

When responding to a query for something that was not in the cache, the TTL of the normal records is limited by the max-cache-ttl setting. However, the original TTL of RRSIG records is used.

If the response is later reused by the packet cache, the TTLs are decremented as appropriate (of course) but the RRSIG TTL is still not limited.

When the records come from the record cache, the TTLs are both capped.

Mainly this surprised me! I'm not aware of it doing any harm.

I think it violates RFC 4034, which says, "The TTL value of an RRSIG RR MUST match the TTL value of the RRset it covers." However, I'm not certain of the context. It might just mean "in an authoritative zone". It might not apply to resolvers.

Environment

  • Operating system: Ubuntu 16.04
  • Software version: 4.4.0~alpha1+master.127.gbcbc0a729-1pdns.xenial, 4.4.0~alpha1+master.152.g1350ab29e-1pdns.xenial
  • Software source: PowerDNS repository

Steps to reproduce

  1. dig +dnssec +nocookie us ns
  2. Wait
  3. dig +dnssec +nocookie us ns
  4. dig +dnssec us ns

Expected behaviour

max-cache-ttl for everything.

Actual behaviour

Original TTLs for RRSIG records.

(I have max-cache-ttl=172800. Personal preference.)

$ dig +dnssec +nocookie us ns

; <<>> DiG 9.17.1-1+ubuntu16.04.1+isc+3-Ubuntu <<>> +dnssec +nocookie us ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33634
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;us.                            IN      NS

;; ANSWER SECTION:
us.                     172800  IN      NS      a.cctld.us.
us.                     172800  IN      NS      b.cctld.us.
us.                     172800  IN      NS      e.cctld.us.
us.                     172800  IN      NS      k.cctld.us.
us.                     172800  IN      NS      f.cctld.us.
us.                     172800  IN      NS      c.cctld.us.
us.                     518400  IN      RRSIG   NS 8 1 518400 20200628094919 20200529090116 8985 us. ap6wt7Jyzo/KMPTX3gsK0WNweCCkKAyjfPGbee3e7Uwxf7cLPycMzad9 J/eX5PClUt/FeK3C4KLHP3BY1SQkXvAQT9r6EBTjlFa9hwaXIMK44NlI 1meO1FRBZlM92ymMj5kZDnaU5g87Qxlhq9PLsPlvq4BWXMm/TRFSuLpZ qsr9Zo807I66O9UHrtFMJ6n/zqhqQo3oaulNb4MOl/OBOA==
us.                     518400  IN      RRSIG   NS 8 1 518400 20200628094919 20200529090116 53985 us. TgzeR+QPBbgOBZdjzvpB8aaY0N+PW/hcU8yP352cSjMwmAhKrYnJIRTX 6/H99Lv0owUC4dwtZVRJkwtaVCd7udM2CYQNO64Hd3JI/K1WJwePQ0NT pbXH6EIYFvdoDR+uxJ8vS7qKvQsOmRwwVVqCaA+0y7MaSMz24kpXj/gU Mai7TDknHb+sJpDEd6DtCMqxx8Jx/p8zumJY+2/UdEtw4A==

;; Query time: 76 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Jun 03 09:59:01 UTC 2020
;; MSG SIZE  rcvd: 521

$ dig +dnssec +nocookie us ns

; <<>> DiG 9.17.1-1+ubuntu16.04.1+isc+3-Ubuntu <<>> +dnssec +nocookie us ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29959
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;us.                            IN      NS

;; ANSWER SECTION:
us.                     172794  IN      NS      a.cctld.us.
us.                     172794  IN      NS      b.cctld.us.
us.                     172794  IN      NS      e.cctld.us.
us.                     172794  IN      NS      k.cctld.us.
us.                     172794  IN      NS      f.cctld.us.
us.                     172794  IN      NS      c.cctld.us.
us.                     518394  IN      RRSIG   NS 8 1 518400 20200628094919 20200529090116 8985 us. ap6wt7Jyzo/KMPTX3gsK0WNweCCkKAyjfPGbee3e7Uwxf7cLPycMzad9 J/eX5PClUt/FeK3C4KLHP3BY1SQkXvAQT9r6EBTjlFa9hwaXIMK44NlI 1meO1FRBZlM92ymMj5kZDnaU5g87Qxlhq9PLsPlvq4BWXMm/TRFSuLpZ qsr9Zo807I66O9UHrtFMJ6n/zqhqQo3oaulNb4MOl/OBOA==
us.                     518394  IN      RRSIG   NS 8 1 518400 20200628094919 20200529090116 53985 us. TgzeR+QPBbgOBZdjzvpB8aaY0N+PW/hcU8yP352cSjMwmAhKrYnJIRTX 6/H99Lv0owUC4dwtZVRJkwtaVCd7udM2CYQNO64Hd3JI/K1WJwePQ0NT pbXH6EIYFvdoDR+uxJ8vS7qKvQsOmRwwVVqCaA+0y7MaSMz24kpXj/gU Mai7TDknHb+sJpDEd6DtCMqxx8Jx/p8zumJY+2/UdEtw4A==

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Jun 03 09:59:07 UTC 2020
;; MSG SIZE  rcvd: 521

$ dig +dnssec us ns

; <<>> DiG 9.17.1-1+ubuntu16.04.1+isc+3-Ubuntu <<>> +dnssec us ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19131
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;us.                            IN      NS

;; ANSWER SECTION:
us.                     172625  IN      NS      f.cctld.us.
us.                     172625  IN      NS      c.cctld.us.
us.                     172625  IN      NS      k.cctld.us.
us.                     172625  IN      NS      a.cctld.us.
us.                     172625  IN      NS      b.cctld.us.
us.                     172625  IN      NS      e.cctld.us.
us.                     172625  IN      RRSIG   NS 8 1 518400 20200628094919 20200529090116 8985 us. ap6wt7Jyzo/KMPTX3gsK0WNweCCkKAyjfPGbee3e7Uwxf7cLPycMzad9 J/eX5PClUt/FeK3C4KLHP3BY1SQkXvAQT9r6EBTjlFa9hwaXIMK44NlI 1meO1FRBZlM92ymMj5kZDnaU5g87Qxlhq9PLsPlvq4BWXMm/TRFSuLpZ qsr9Zo807I66O9UHrtFMJ6n/zqhqQo3oaulNb4MOl/OBOA==
us.                     172625  IN      RRSIG   NS 8 1 518400 20200628094919 20200529090116 53985 us. TgzeR+QPBbgOBZdjzvpB8aaY0N+PW/hcU8yP352cSjMwmAhKrYnJIRTX 6/H99Lv0owUC4dwtZVRJkwtaVCd7udM2CYQNO64Hd3JI/K1WJwePQ0NT pbXH6EIYFvdoDR+uxJ8vS7qKvQsOmRwwVVqCaA+0y7MaSMz24kpXj/gU Mai7TDknHb+sJpDEd6DtCMqxx8Jx/p8zumJY+2/UdEtw4A==

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Jun 03 10:01:56 UTC 2020
;; MSG SIZE  rcvd: 521

Other information

On the other hand, it is called max-cache-ttl, not max-not-actually-from-the-cache-ttl. ;-)

Configuration:

allow-from=127.0.0.0/8, ::1/128
allow-trust-anchor-query
carbon-ourname=clover_mattnordhoff_net
carbon-server=2a02:2770:8::2635:0:1
config-dir=/etc/powerdns
dnssec=validate
dnssec-log-bogus
hint-file=/usr/share/dns/root.hints
include-dir=/etc/powerdns/recursor.d
local-address=127.0.0.1, ::1
log-common-errors
lua-config-file=/etc/powerdns/recursor.lua
max-cache-ttl=172800
max-negative-ttl=10800
query-local-address=0.0.0.0, ::
quiet=yes
setgid=pdns
setuid=pdns
threads=1

Includes/Lua are the package defaults.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect rec
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

rec: Limit the TTL of RRSIG records as well rgacogne/pdns
2 participants
@mnordhoff @rgacogne