git.ipfire.org Git - thirdparty/bind9.git/commit

author	Michał Kępień <michal@isc.org>
	Mon, 11 Mar 2019 11:04:42 +0000 (12:04 +0100)
committer	Michał Kępień <michal@isc.org>
	Mon, 11 Mar 2019 11:22:23 +0000 (12:22 +0100)
commit	bacbe3a5aa2cbd5e8347ce1c8fe34c61f38065ca
tree	ee098c5b6d234f144a516ff2d8854862f43373f9	tree \| snapshot
parent	38da4bdf5ee7a0b878aae2f33c59bc6873c4cbdf	commit \| diff

Relax ADDITIONAL TTL capping checks

Always expecting a TTL of exactly 300 seconds for RRsets found in the
ADDITIONAL section of responses received for CD=1 queries sent during
TTL capping checks is too strict since these responses will contain
records cached from multiple DNS messages received during the resolution
process.

In responses to queries sent with CD=1, ns.expiring.example/A in the
ADDITIONAL section will come from a delegation returned by ns2 while the
ANSWER section will come from an authoritative answer returned by ns3.
If the queries to ns2 and ns3 happen at different Unix timestamps,
RRsets cached from the older response will have a different TTL by the
time they are returned to dig, triggering a false positive.

Allow a safety margin of 60 seconds for checks inspecting the ADDITIONAL
section of responses to queries sent with CD=1 to fix the issue. A
safety margin this large is likely overkill, but it is used nevertheless
for consistency with similar safety margins used in other TTL capping
checks.

(cherry picked from commit 8baf85906306e2757ab9cce680c7f764d6e4e04e)