Relax ADDITIONAL TTL capping checks

Always expecting a TTL of exactly 300 seconds for RRsets found in the
ADDITIONAL section of responses received for CD=1 queries sent during
TTL capping checks is too strict since these responses will contain
records cached from multiple DNS messages received during the resolution
process.

In responses to queries sent with CD=1, ns.expiring.example/A in the
ADDITIONAL section will come from a delegation returned by ns2 while the
ANSWER section will come from an authoritative answer returned by ns3.
If the queries to ns2 and ns3 happen at different Unix timestamps,
RRsets cached from the older response will have a different TTL by the
time they are returned to dig, triggering a false positive.

Allow a safety margin of 60 seconds for checks inspecting the ADDITIONAL
section of responses to queries sent with CD=1 to fix the issue.  A
safety margin this large is likely overkill, but it is used nevertheless
for consistency with similar safety margins used in other TTL capping
checks.

(cherry picked from commit 8baf85906306e2757ab9cce680c7f764d6e4e04e)

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index d760c322560f2e104e71678e6677c5a1007e6092..02adabb24b7c27e232d169c910e1efa426ebabcc 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -2788,7 +2788,7 @@ $DIG $ADDITIONALOPTS expiring.example ns @10.53.0.4 > dig.out.ns4.2.$n
 ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
 ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
 for ttl in ${ttls:-300}; do
-    [ ${ttl:-0} -eq 300 ] || ret=1
+    [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1
 done
 for ttl in ${ttls2:-0}; do
     [ ${ttl:-0} -le 60 ] || ret=1
@@ -2806,7 +2806,7 @@ $DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
 ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
 ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
 for ttl in ${ttls:-300}; do
-    [ ${ttl:-0} -eq 300 ] || ret=1
+    [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1
 done
 for ttl in ${ttls2:-0}; do
     [ ${ttl:-0} -le 60 ] || ret=1
@@ -2864,7 +2864,7 @@ $DIG $ADDITIONALOPTS  expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
 ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
 ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
 for ttl in ${ttls:-300}; do
-    [ $ttl -eq 300 ] || ret=1
+    [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1
 done
 for ttl in ${ttls2:-0}; do
     [ $ttl -le 120  -a $ttl -gt 60 ] || ret=1
@@ -2881,7 +2881,7 @@ $DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
 ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
 ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
 for ttl in ${ttls:-300}; do
-    [ $ttl -eq 300 ] || ret=1
+    [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1
 done
 for ttl in ${ttls2:-0}; do
     [ $ttl -le 120  -a $ttl -gt 60 ] || ret=1