starred/hickory-dns
1
0
Fork 0
mirror of https://github.com/hickory-dns/hickory-dns.git synced 2026-04-25 19:25:56 +03:00
Code Issues 373 Projects Releases 6 Packages Wiki Activity

[GH-ISSUE #3306] Invalid TTL for RRSIG records #1167

New issue
Closed
opened 2026-03-16 01:47:25 +03:00 by kerem · 1 comment
kerem commented 2026-03-16 01:47:25 +03:00
Owner
Copy link

Originally created by @msrd0 on GitHub (Oct 11, 2025).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/3306

Describe the bug

According to RFC4034:

The TTL value of an RRSIG RR MUST match the TTL value of the RRset it covers.

I however observed this network response from hickory-dns:

$ kdig +dnssec -p 1234 www.example.com @localhost
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 26705
;; Flags: qr aa rd; QUERY: 1; ANSWER: 6; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; www.example.com.    		IN	A

;; ANSWER SECTION:
www.example.com.    	900	IN	A	127.0.0.1
www.example.com.    	86400	IN	RRSIG	A 8 3 900 20261010160343 20251011160343 30434 example.com. a8IMfado/PSPtQ3579guzia8xJK2N/w75yyBqX8LPO8fFlhwgLD+PebeEel652zsSJz8p3X2CGUWVEAnM6atE2SExzbXq9/eOQe4r0YPKtVNGQuG/S0Mbft+XcWwiyOp39DAFBG4ADToet5OSV8BKHtD6rrd+qeE8xZHqT8KcZOEqb38SJcWmXUwF8XzDWTOnNQQTGKxDsoVYSKPy7oIRulwZ+Jdb7t4eG3/XAXhC4r9SpJ5RcpyPYXnXlx98r3bozWX6V6GhcYYqTKvlbTzEvvxDJCLHgtSjm/YLq0nCe6IgMHugGK9/tYdxofpXlXVEsXGVfM/nz9nbWJGKe6g1w==
www.example.com.    	86400	IN	RRSIG	A 10 3 900 20261010160343 20251011160343 30436 example.com. PgkR2LC9KwKdqADOiTgXshCUSiKf48Wh87kDfETTI8WpvDjBHhdSwMC8NpJvTaFhSGd0ZGGgXUIv4Wxf2KBVKOT9Lw7hOJtXI5IiesH1Tpqamjpka+CQtc3MjM6/ZAH0Tn+QurajgQHFmV9S6PbnBnCt22C4y5MLUvjCNnMQ3lwxveBjRg/IypEQMlGPPX+I5ZTmeRdxqMs1mEI+PeJ2+jDBM4x2vSyRhOjyhzHIpMOicyirkigeSC1OtQth9FhQRE5YQzgGMMMuehXFnhOJPAiy2ZNfepOZnrsaip+L/s0eFHgwkzvzKkeDUzcRKu+L9oXvIUnwGSoCEv1j9hr8fg==
www.example.com.    	86400	IN	RRSIG	A 13 3 900 20261010160343 20251011160343 9436 example.com. QNY8vNRRxt9fKBiGEWehz6Jg9MA2+yxJEfDrV1xfn14jtm9JwK9/46R6rMMvn8JUT0Lz73RKRB38P0gwwlikDQ==
www.example.com.    	86400	IN	RRSIG	A 14 3 900 20261010160343 20251011160343 52623 example.com. 1VgsxZ76gXy/ziyS//h9nBV9GIebQhtFeGW7lICc+7kuB+kkfHG2j1Akq9CDeXhjJJjMJF6ddmdvQW0v9Mw+bawSBQDKJ3WtqYnzKwkiA0zQf8kAI0SOiex+v/zmZAmI
www.example.com.    	86400	IN	RRSIG	A 15 3 900 20261010160343 20251011160343 45440 example.com. lq8Z7TbJi6c7DU7OI+6CHvwXOUBk3NDQMdn9FnZySBiC2Yjdq38zFQWC0f+JqBHYqKgi6G+/3PRvXDUp/9yHDw==

;; Received 1026 B
;; Time 2025-10-11 18:03:45 CEST
;; From ::1@1234(UDP) in 0.5 ms

This is in clear violation of the RFC.

To Reproduce
Steps to reproduce the behaviour:

  1. Change the TTL for a record, e.g. 
    diff --git a/tests/test-data/test_configs/example.com.zone b/tests/test-data/test_configs/example.com.zone
index 94ee3a107..e0c8c6b2a 100644
--- a/tests/test-data/test_configs/example.com.zone
+++ b/tests/test-data/test_configs/example.com.zone
@@ -12,6 +12,8 @@

                ANAME   www

+$TTL 900
+
www             A       127.0.0.1
                AAAA    ::1
  2. Run cargo run --bin hickory-dns --features dnssec-ring -- -c test-data/test_configs/all_supported_dnssec.toml -p 1234 -z test-data/test_configs/ in the tests folder of this repository

Expected behavior
The RRSIG records should match the TTL of the A record they are signing.

System:

  • OS: I use Arch btw
  • Architecture: x86_64
  • Version: rolling release
  • rustc version: rustc 1.90.0 (1159e78c4 2025-09-14)

Version:
Crate: hickory-dns
Version: latest git commit dfcbc6a0b5

Originally created by @msrd0 on GitHub (Oct 11, 2025). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/3306 **Describe the bug** According to [RFC4034]: > The TTL value of an RRSIG RR MUST match the TTL value of the RRset it covers. I however observed this network response from hickory-dns: ``` $ kdig +dnssec -p 1234 www.example.com @localhost ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 26705 ;; Flags: qr aa rd; QUERY: 1; ANSWER: 6; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR ;; QUESTION SECTION: ;; www.example.com. IN A ;; ANSWER SECTION: www.example.com. 900 IN A 127.0.0.1 www.example.com. 86400 IN RRSIG A 8 3 900 20261010160343 20251011160343 30434 example.com. a8IMfado/PSPtQ3579guzia8xJK2N/w75yyBqX8LPO8fFlhwgLD+PebeEel652zsSJz8p3X2CGUWVEAnM6atE2SExzbXq9/eOQe4r0YPKtVNGQuG/S0Mbft+XcWwiyOp39DAFBG4ADToet5OSV8BKHtD6rrd+qeE8xZHqT8KcZOEqb38SJcWmXUwF8XzDWTOnNQQTGKxDsoVYSKPy7oIRulwZ+Jdb7t4eG3/XAXhC4r9SpJ5RcpyPYXnXlx98r3bozWX6V6GhcYYqTKvlbTzEvvxDJCLHgtSjm/YLq0nCe6IgMHugGK9/tYdxofpXlXVEsXGVfM/nz9nbWJGKe6g1w== www.example.com. 86400 IN RRSIG A 10 3 900 20261010160343 20251011160343 30436 example.com. PgkR2LC9KwKdqADOiTgXshCUSiKf48Wh87kDfETTI8WpvDjBHhdSwMC8NpJvTaFhSGd0ZGGgXUIv4Wxf2KBVKOT9Lw7hOJtXI5IiesH1Tpqamjpka+CQtc3MjM6/ZAH0Tn+QurajgQHFmV9S6PbnBnCt22C4y5MLUvjCNnMQ3lwxveBjRg/IypEQMlGPPX+I5ZTmeRdxqMs1mEI+PeJ2+jDBM4x2vSyRhOjyhzHIpMOicyirkigeSC1OtQth9FhQRE5YQzgGMMMuehXFnhOJPAiy2ZNfepOZnrsaip+L/s0eFHgwkzvzKkeDUzcRKu+L9oXvIUnwGSoCEv1j9hr8fg== www.example.com. 86400 IN RRSIG A 13 3 900 20261010160343 20251011160343 9436 example.com. QNY8vNRRxt9fKBiGEWehz6Jg9MA2+yxJEfDrV1xfn14jtm9JwK9/46R6rMMvn8JUT0Lz73RKRB38P0gwwlikDQ== www.example.com. 86400 IN RRSIG A 14 3 900 20261010160343 20251011160343 52623 example.com. 1VgsxZ76gXy/ziyS//h9nBV9GIebQhtFeGW7lICc+7kuB+kkfHG2j1Akq9CDeXhjJJjMJF6ddmdvQW0v9Mw+bawSBQDKJ3WtqYnzKwkiA0zQf8kAI0SOiex+v/zmZAmI www.example.com. 86400 IN RRSIG A 15 3 900 20261010160343 20251011160343 45440 example.com. lq8Z7TbJi6c7DU7OI+6CHvwXOUBk3NDQMdn9FnZySBiC2Yjdq38zFQWC0f+JqBHYqKgi6G+/3PRvXDUp/9yHDw== ;; Received 1026 B ;; Time 2025-10-11 18:03:45 CEST ;; From ::1@1234(UDP) in 0.5 ms ``` This is in clear violation of the RFC. **To Reproduce** Steps to reproduce the behaviour: 1. Change the TTL for a record, e.g. ```patch diff --git a/tests/test-data/test_configs/example.com.zone b/tests/test-data/test_configs/example.com.zone index 94ee3a107..e0c8c6b2a 100644 --- a/tests/test-data/test_configs/example.com.zone +++ b/tests/test-data/test_configs/example.com.zone @@ -12,6 +12,8 @@ ANAME www +$TTL 900 + www A 127.0.0.1 AAAA ::1 ``` 2. Run `cargo run --bin hickory-dns --features dnssec-ring -- -c test-data/test_configs/all_supported_dnssec.toml -p 1234 -z test-data/test_configs/` in the `tests` folder of this repository **Expected behavior** The RRSIG records should match the TTL of the A record they are signing. **System:** - OS: I use Arch btw - Architecture: x86_64 - Version: rolling release - rustc version: rustc 1.90.0 (1159e78c4 2025-09-14) **Version:** Crate: hickory-dns Version: latest git commit dfcbc6a0b51adc329ce0558fc30bf34d3a0a826b [RFC4034]: https://datatracker.ietf.org/doc/html/rfc4034#section-3
kerem closed this issue 2026-03-16 01:47:30 +03:00
kerem commented 2026-03-16 01:47:36 +03:00
Author
Owner
Copy link

@marcus0x62 commented on GitHub (Oct 12, 2025):

It will be a few days until I can look at this further and add test coverage, but if you (or anyone else) wants to take a stab at this, the fix appears to be:

diff --git a/crates/server/src/store/in_memory/inner.rs b/crates/server/src/store/in_memory/inner.rs
index 8487265a3..26b0611d5 100644
--- a/crates/server/src/store/in_memory/inner.rs
+++ b/crates/server/src/store/in_memory/inner.rs
@@ -735,7 +735,7 @@ impl InnerInMemory {

             rr_set.insert_rrsig(Record::from_rdata(
                 rr_set.name().clone(),
-                zone_ttl,
+                rr_set.ttl(),
                 RData::DNSSEC(DNSSECRData::RRSIG(rrsig)),
             ));
         }
<!-- gh-comment-id:3394328518 --> @marcus0x62 commented on GitHub (Oct 12, 2025): It will be a few days until I can look at this further and add test coverage, but if you (or anyone else) wants to take a stab at this, the fix appears to be: ``` diff --git a/crates/server/src/store/in_memory/inner.rs b/crates/server/src/store/in_memory/inner.rs index 8487265a3..26b0611d5 100644 --- a/crates/server/src/store/in_memory/inner.rs +++ b/crates/server/src/store/in_memory/inner.rs @@ -735,7 +735,7 @@ impl InnerInMemory { rr_set.insert_rrsig(Record::from_rdata( rr_set.name().clone(), - zone_ttl, + rr_set.ttl(), RData::DNSSEC(DNSSECRData::RRSIG(rrsig)), )); } ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
release/0.26
david/conformance-dnssec-negative-tests
query-api
opt-types
cname-nsec
no-cname-recursion
conformance-min-ttl
dname-base
drop-message-request
no-error-queries
cpu-sig0-rm-message-sig_dev
cpu-tsig-test-update_dev
windows-config
dnssec-net
release/0.25
opp-enc-persist
integration-test
cpu-tidying-recursor-opts_dev
happy-eyeballs
david/authoritative-zone-storage-trait
dnssec-ad
no-authority
release/0.24
pvdrz/remove-top-file
pvdrz/h3-handshake-timeout
pvdrz/quic-handshake-timeout
nxdomain-for-recursor
ja-test-merque-queue
ja-fix-ci-again
sz-add-ede-tests
sz-test-tc-bit-with-large-response
sz-fix-tokio-dependency
gh-2275-test-rrsig-signature
refactor-sign-zone-file
fix-1.79-cleanliness
update-nightly-hash
release/0.23
gh-pages
use-just-for-server-toml
release/0.22
revert-1874-cpu-zone-parse-default-class
disable-bind-compatibility-tests
disable-test_tls_client_stream_ipv4
update-native-tls-0.2.11
recursor-tests
fix-clippy-self
release/0.20
saethlin-fix-rdata-zero
release/0.19
flat_name
drop_unused_futures
release/0.18
release-r0.12-cs0.17
release/r0.12-cs0.17
trust-dns-book
r0.10
test-connections-not-dropped
fix_exec_status_on_rs_files
release-0.9
add-mutex-to-integration-tests
0.8_release
bfry/dns-crypt
v0.26.0
v0.26.0-beta.4
v0.26.0-beta.3
v0.26.0-beta.2
v0.26.0-beta.1
v0.26.0-alpha.1
v0.25.2
v0.25.1
v0.25.0
v0.24.4
v0.24.3
v0.25.0-alpha.5
v0.24.2
v0.25.0-alpha.4
v0.25.0-alpha.3
v0.25.0-alpha.2
v0.25.0-alpha.1
v0.24.1
v0.23.2
v0.24.0
v0.23.1
v0.23.0
v0.23.0-alpha.5
v0.23.0-alpha.4
v0.23.0-alpha.3
v0.22.1
v0.23.0-alpha.2
v0.23.0-alpha.1
v0.22.0
v0.21.2
v0.21.1
v0.21.0
v0.21.0-alpha.5
v0.20.4
v0.21.0-alpha.4
v0.21.0-alpha.3
v0.21.0-alpha.2
v0.21.0-alpha.1
v0.20.3
v0.20.2
v0.20.1
v0.19.7
v0.20.0
0.19.6
v0.20.0-alpha.3
v0.20.0-alpha.2
v0.20.0-alpha.1
0.19.5
0.19.4
0.19.3
0.19.0
0.18.1
0.18
0.18.0.alpha.2
r0.12_cs0.17
r0.11.1
cs0.16.1
r0.11
cs0.16
r0.10.1
r0.10.0
cs0.15.0
r0.9.1
v0.14.0
r0.9.0
r0.8.1
r0.8.0
v0.13.0
r0.7.0
c0.12.0
r0.6.0
r0.5.0
resolver.0.4.0
0.11.0
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.1
0.8.0
0.7.3
0.7.2
0.7.1
0.7.0
0.6.0
0.5.3
0.5.1
0.5.0
0.4.0
0.3.1
0.3.0
0.2.1
0.2.0
0.1.0
Labels
Clear labels   
blocked

   
breaking-change

   
bug

   
bug:critical

   
bug:tests

   
cleanup

   
compliance

   
compliance

   
compliance

   
crate:all

   
crate:client

   
crate:native-tls

   
crate:proto

   
crate:recursor

   
crate:resolver

   
crate:resolver

   
crate:rustls

   
crate:server

   
crate:util

   
dependencies

   
docs

   
duplicate

   
easy

   
easy

   
enhance

   
enhance

   
enhance

   
feature:dns-over-https

   
feature:dns-over-quic

   
feature:dns-over-tls

   
feature:dnsssec

   
feature:global_lb

   
feature:mdns

   
feature:tsig

   
features:edns

   
has workaround

   
ops

   
perf

   
platform:WASM

   
platform:android

   
platform:fuchsia

   
platform:linux

   
platform:macos

   
platform:windows

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
test

   
tools

   
tools

   
trust

   
unclear

   
wontfix
No labels
blocked
breaking-change
bug
bug:critical
bug:tests
cleanup
compliance
compliance
compliance
crate:all
crate:client
crate:native-tls
crate:proto
crate:recursor
crate:resolver
crate:resolver
crate:rustls
crate:server
crate:util
dependencies
docs
duplicate
easy
easy
enhance
enhance
enhance
feature:dns-over-https
feature:dns-over-quic
feature:dns-over-tls
feature:dnsssec
feature:global_lb
feature:mdns
feature:tsig
features:edns
has workaround
ops
perf
platform:WASM
platform:android
platform:fuchsia
platform:linux
platform:macos
platform:windows
pull-request
question
test
tools
tools
trust
unclear
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hickory-dns#1167
No description provided.