Hi,
I've almost reached the point where verification of an opendnssec and
bind signed zone files are identical (after ldns-read-zone -0 to strip
out RRSIG and jitter)
In bind, the NSEC3PARAM has a TTL of 0. In opendnssec, it gets the
default ttl, in my case 3600.
Since this record is kind of special, I think I agree with bind that
we should not store it in any caches anywhere, and so a TTL=0 seems
to be the right value. I've attached a patch for this in opendnssec.
Paul
diff -Naur opendnssec-1.4.0a3-orig/signer/src/signer/zone.c
opendnssec-1.4.0a3/signer/src/signer/zone.c
--- opendnssec-1.4.0a3-orig/signer/src/signer/zone.c 2012-08-06
06:52:03.000000000 -0400
+++ opendnssec-1.4.0a3/signer/src/signer/zone.c 2012-09-12 17:00:01.813426466
-0400
@@ -355,7 +355,7 @@
return ODS_STATUS_MALLOC_ERR;
}
ldns_rr_set_class(rr, zone->klass);
- ldns_rr_set_ttl(rr, zone->default_ttl);
+ ldns_rr_set_ttl(rr, 0); /* special case */
ldns_rr_set_owner(rr, ldns_rdf_clone(zone->apex));
ldns_nsec3_add_param_rdfs(rr,
zone->signconf->nsec3params->algorithm, 0,
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
