"The TTL of the RRSIG exceeds the value of its Original TTL field"

[bortzmeyer]

DNSviz complains because "The TTL of the RRSIG (7200) exceeds the value of its Original TTL field (3600). See RFC 4035, Sec. 2.2." It seems DNSviz is right here:

% dig @ns4.bortzmeyer.org internautique.fr DNSKEY

; <<>> DiG 9.18.39-0ubuntu0.24.04.1-Ubuntu <<>> @ns4.bortzmeyer.org internautique.fr DNSKEY
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56073
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;internautique.fr.	IN DNSKEY

;; ANSWER SECTION:
internautique.fr.	3600 IN	DNSKEY 257 3 15 (
				TQJyvqDGtIVNj+x1YBQmbB3j9XoU3F0GKjIQ7omIGW8=
				) ; KSK; alg = ED25519 ; key id = 15611
internautique.fr.	3600 IN	DNSKEY 256 3 15 (
				WIaKrZqGW/ZQOOFI2Vod/WQFvg55tQGwKLXrrRAfcPQ=
				) ; ZSK; alg = ED25519 ; key id = 14729
internautique.fr.	7200 IN	RRSIG DNSKEY 15 2 3600 (
				20251022151722 20251007151722 15611 internautique.fr.
				tKky/rF+XOoUZ7EU0jCLvvO+mA3hsjVLpX77sdFJZQJ6
				O8dJnI6CH9NvqXnpF5dvrml6nBa8thXG/Bpn8Ur4AQ== )

;; Query time: 7 msec
;; SERVER: 2001:4b98:dc0:41:216:3eff:fe27:3d3f#53(ns4.bortzmeyer.org) (UDP)
;; WHEN: Wed Oct 08 18:06:09 CEST 2025
;; MSG SIZE  rcvd: 253

[ximon18]

Thanks @bortzmeyer,

Very appreciated, we’ll investigate.

Ximon

[Philip-NLnetLabs]

Hi @bortzmeyer,

I can't figure out how to reproduce this. In my own testing the TTL of RRSIG matches the one of DNSKEY RRset. Can you give description of how to reproduce this?

[bortzmeyer]

I can't figure out how to reproduce this. In my own testing the TTL of RRSIG matches the one of DNSKEY RRset. Can you give description of how to reproduce this?

I'm wondering if this is because of #185 : I typed something from the output of cascade zone status with a TTL value I made up. This may reproduce the problem.

Something like cascade keyset rutaba.ga algorithm propagation1-complete 7200 .

[Philip-NLnetLabs]

That is very unlikely. The 7200 value is only used to determine how long to wait for cached data to expire. It does not get used when signing DNSKEY RRsets.

[Philip-NLnetLabs]

@bortzmeyer your article also has clear signs that Cascade is doing something weird with RRSIG TTLs.

[Philip-NLnetLabs]

This seems to be caused by the domain::zonetree::Zone datatype that collects all RRSIG records for a name in a single RRset and forces them to have the same TTL.

[ximon18]

I made a couple of workarounds for this:

• Serve fake RRSIG RRSET with corrected TTL. #214
• HACK: Serve the original TTL of the RRSIG via XFR, not the RRSIG RRSET TTL. domain#577

These aren't a proper fix, that will have to wait until either the domain::zonetree::Zone type is made DNSSEC aware or we introduce a dedicated zone (tree) type into Cascade.

[ximon18]

@bortzmeyer: We have merged #214 into main and it will be included in the upcoming 0.1.0-alpha2 release.

[ximon18]

This seems to be caused by the domain::zonetree::Zone datatype that collects all RRSIG records for a name in a single RRset and forces them to have the same TTL.

As we are revisiting zone storage in Casade, even though we patched this in an earlier alpha release, I think it would be good to leave this open as a reminder that we should have a test case that ensures that the changes we make concerning zone storage don't reintroduce the problem.