In-Reply-To: <rt-4.2.8-30832-1495610790-1008.0-0-0@isc.org>
Message-ID: <rt-4.4.1-19648-1510590075-1992.45281-0-0@isc.org>
X-RT-Original-Encoding: utf-8
Content-Type: text/plain; charset="utf-8"
References: <rt-4.2.8-30832-1495610790-1008.0-0-0@isc.org>
 <RT-Ticket-45281@isc.org>
MIME-Version: 1.0
X-RT-Interface: Web
X-Mailer: MIME-tools 5.508 (Entity 5.508)
Content-Disposition: inline
Content-Transfer-Encoding: binary
RT-Send-CC:
Content-Length: 597


> Conclusion - there's a low grade bug in the "rndc sign" code path that
> sets the TTL incorrectly when generating signatures.

A new development on this one - it seems that it's not just 'rndc sign' that does this, but that 'rndc loadkeys' also can (in this instance, it was during the removal of expired keys).  The steps were:

- remove the post published keys from several zones
- use rndc loadkeys to get BIND to load the changed keydata

The outcome: RRSIG's original TTL differs from corresponding records'

It's understood that this shouldn't cause client DNSSEC-validators any problems.