-
Michał Kępień authored
For checks querying a named instance with "dnssec-accept-expired yes;" set, authoritative responses have a TTL of 300 seconds. Assuming empty resolver cache, TTLs of RRsets in the ANSWER section of the first response to a given query will always match their authoritative counterparts. Also note that for a DNSSEC-validating named resolver, validated RRsets replace any existing non-validated RRsets with the same owner name and type, e.g. cached from responses received while resolving CD=1 queries. Since TTL capping happens before a validated RRset is inserted into the cache and RRSIG expiry time does not impose an upper TTL bound when "dnssec-accept-expired yes;" is set and, as pointed out above, the original TTLs of the relevant RRsets equal 300 seconds, the RRsets in the ANSWER section of the responses to expiring.example/SOA and expired.example/SOA queries sent with CD=0 should always be exactly 120 seconds, never a lower value. Make the relevant TTL checks stricter to reflect that.
a85cc414