Commit a85cc414 authored by Michał Kępień's avatar Michał Kępień

Make ANSWER TTL capping checks stricter

For checks querying a named instance with "dnssec-accept-expired yes;"
set, authoritative responses have a TTL of 300 seconds.  Assuming empty
resolver cache, TTLs of RRsets in the ANSWER section of the first
response to a given query will always match their authoritative
counterparts.  Also note that for a DNSSEC-validating named resolver,
validated RRsets replace any existing non-validated RRsets with the same
owner name and type, e.g. cached from responses received while resolving
CD=1 queries.  Since TTL capping happens before a validated RRset is
inserted into the cache and RRSIG expiry time does not impose an upper
TTL bound when "dnssec-accept-expired yes;" is set and, as pointed out
above, the original TTLs of the relevant RRsets equal 300 seconds, the
RRsets in the ANSWER section of the responses to expiring.example/SOA
and expired.example/SOA queries sent with CD=0 should always be exactly
120 seconds, never a lower value.  Make the relevant TTL checks stricter
to reflect that.
parent 8baf8590
...@@ -2855,7 +2855,7 @@ for ttl in ${ttls:-0}; do ...@@ -2855,7 +2855,7 @@ for ttl in ${ttls:-0}; do
[ "$ttl" -eq 300 ] || ret=1 [ "$ttl" -eq 300 ] || ret=1
done done
for ttl in ${ttls2:-0}; do for ttl in ${ttls2:-0}; do
[ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 [ "$ttl" -eq 120 ] || ret=1
done done
n=$((n+1)) n=$((n+1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
...@@ -2871,7 +2871,7 @@ for ttl in ${ttls:-0}; do ...@@ -2871,7 +2871,7 @@ for ttl in ${ttls:-0}; do
[ "$ttl" -eq 300 ] || ret=1 [ "$ttl" -eq 300 ] || ret=1
done done
for ttl in ${ttls2:-0}; do for ttl in ${ttls2:-0}; do
[ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 [ "$ttl" -eq 120 ] || ret=1
done done
n=$((n+1)) n=$((n+1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment