• Michał Kępień's avatar
    Make ANSWER TTL capping checks stricter · a85cc414
    Michał Kępień authored
    For checks querying a named instance with "dnssec-accept-expired yes;"
    set, authoritative responses have a TTL of 300 seconds.  Assuming empty
    resolver cache, TTLs of RRsets in the ANSWER section of the first
    response to a given query will always match their authoritative
    counterparts.  Also note that for a DNSSEC-validating named resolver,
    validated RRsets replace any existing non-validated RRsets with the same
    owner name and type, e.g. cached from responses received while resolving
    CD=1 queries.  Since TTL capping happens before a validated RRset is
    inserted into the cache and RRSIG expiry time does not impose an upper
    TTL bound when "dnssec-accept-expired yes;" is set and, as pointed out
    above, the original TTLs of the relevant RRsets equal 300 seconds, the
    RRsets in the ANSWER section of the responses to expiring.example/SOA
    and expired.example/SOA queries sent with CD=0 should always be exactly
    120 seconds, never a lower value.  Make the relevant TTL checks stricter
    to reflect that.
tests.sh 134 KB