[Freeipa-devel] [PATCH 0152] Replace TTL values > 2^31-1 with 0.
Tomas Babej
tbabej at redhat.com
Fri May 3 13:04:26 UTC 2013
On 05/03/2013 02:55 PM, Petr Spacek wrote:
> On 3.5.2013 14:35, Tomas Babej wrote:
>> On 04/30/2013 03:45 PM, Petr Spacek wrote:
>>> Hello,
>>>
>>> Replace TTL values > 2^31-1 with 0.
>>>
>>> The rule comes from RFC 2181 section 8.
>>>
>>> https://fedorahosted.org/bind-dyndb-ldap/ticket/117
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>> ACK, works fine.
>>
>> Just one question though, the patch as it is leaves the invalid TTL
>> value in
>> the tree,
>> even though it is never interpreted as one (thanks to this patch).
>>
>> $ ipa dnsrecord-show ipa.example.com skuska --all
>> dn:
>> idnsname=skuska,idnsname=ipa.example.com,cn=dns,dc=ipa,dc=example,dc=com
>> Record name: skuska
>> Time to live: 2147483648
>> A record: 192.168.0.1
>> objectclass: top, idnsrecord
>>
>> from /var/log/messages:
>> named[18275]: entry
>> 'idnsname=skuska,idnsname=ipa.example.com,cn=dns,dc=ipa,dc=example,dc=com':
>>
>> entry TTL 2147483648 > MAXTTL, setting TTL to 0
>>
>> Wouldn't that be confusing to the user? Shouldn't we fix the TTL
>> value set in
>> the entry as well?
>
> It is exactly what "original" BIND does. I would like to imitate the
> same behaviour if you are not against it strongly.
>
> I think that:
> 1) Somebody could use bind-dyndb-ldap with read-only access to LDAP.
> 2) It will unnecessarily complicate the code.
>
I'm not strongly against it, just opening a discussion.
I agree that this is probably a path of the least surprise if it
imitates BIND behaviour.
Read-only access is a reasonable argument as well.
Have my confirmed ACK then, thanks for the clarification.
Tomas
More information about the Freeipa-devel
mailing list