Skip to content

NSD serves RRsets with differing TTLs in them #178

New issue
New issue
Open
Open
NSD serves RRsets with differing TTLs in them#178
@jpmens

Description

@jpmens
jpmens
opened on May 14, 2021

NSD serves RRsets with differing TTLs in them which, according to RFC 2181, section 5.2 is not permitted:

In no case may a server send an RRSet with TTLs not all equal.

to reproduce:

  1. I configure the following zone in NSD 4.3.6
zone:
	name: "example"
	zonefile: "dot.example"
	provide-xfr: 0.0.0.0/0 NOKEY
  1. The zone contains an NS RRset with differing TTL on the records
example.  3600	IN	SOA	localhost. . 1 10800 3600 604800 3600
example.  3600	IN	NS	ns1.somewhere.
example.  10800	IN	NS	ns2.somewhere.
  1. I launch NSD, and it "sees" and reports the issue
$ nsd -d -V9
[2021-05-14 14:10:04.586] nsd[12861]: notice: nsd starting (NSD 4.3.6)
[2021-05-14 14:10:04.586] nsd[12861]: notice: listen on ip-address 0.0.0.0@53 (udp) with server(s): *
[2021-05-14 14:10:04.586] nsd[12861]: notice: listen on ip-address 0.0.0.0@53 (tcp) with server(s): *
[2021-05-14 14:10:04.587] nsd[12861]: info: creating unix socket /run/nsd/nsd.ctl
[2021-05-14 14:10:04.604] nsd[12862]: warning: dot.example:3: example. TTL 10800 does not match the TTL 3600 of the NS RRset
[2021-05-14 14:10:04.604] nsd[12862]: info: zone example read with success
[2021-05-14 14:10:04.615] nsd[12862]: notice: nsd started (NSD 4.3.6), pid 12861

At this point I would have expected NSD to fix the differing TTLs while reading the zone into core, but it doesn't:

  1. I query the zone
$ dig @192.168.1.177 example. NS +norec
;; ANSWER SECTION:
example.		10800	IN	NS	ns2.somewhere.
example.		3600	IN	NS	ns1.somewhere.
  1. And if I ask for the XFR, I get it with differing TTL as well
$ dig @192.168.1.177 example. AXFR +onesoa
example.		3600	IN	SOA	localhost. . 1 10800 3600 604800 3600
example.		3600	IN	NS	ns1.somewhere.
example.		10800	IN	NS	ns2.somewhere.
;; Query time: 0 msec
;; SERVER: 192.168.1.177#53(192.168.1.177)
;; WHEN: Fri May 14 16:20:57 CEST 2021
;; XFR size: 4 records (messages 1, bytes 160)

my expectation

I would expect NSD to "fix" the TTLs upon loading the zone, somewhat in the manner that BIND has done in the last 20 years or so. :-)

$ named-checkzone example dot.example 
dot.example:3: TTL set to prior TTL (3600)
zone example/IN: loaded serial 1
OK

BIND then serves the "fixed" TTL.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions