[Freeipa-devel] [PATCH 0152] Replace TTL values > 2^31-1 with 0.
thozza at redhat.com
Fri May 3 13:19:18 UTC 2013
----- Original Message -----
> On 3.5.2013 14:35, Tomas Babej wrote:
> > On 04/30/2013 03:45 PM, Petr Spacek wrote:
> >> Hello,
> >> Replace TTL values > 2^31-1 with 0.
> >> The rule comes from RFC 2181 section 8.
> >> https://fedorahosted.org/bind-dyndb-ldap/ticket/117
> >> _______________________________________________
> >> Freeipa-devel mailing list
> >> Freeipa-devel at redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-devel
> > ACK, works fine.
> > Just one question though, the patch as it is leaves the invalid TTL value
> > in
> > the tree,
> > even though it is never interpreted as one (thanks to this patch).
> > $ ipa dnsrecord-show ipa.example.com skuska --all
> > dn:
> > idnsname=skuska,idnsname=ipa.example.com,cn=dns,dc=ipa,dc=example,dc=com
> > Record name: skuska
> > Time to live: 2147483648
> > A record: 192.168.0.1
> > objectclass: top, idnsrecord
> > from /var/log/messages:
> > named: entry
> > 'idnsname=skuska,idnsname=ipa.example.com,cn=dns,dc=ipa,dc=example,dc=com':
> > entry TTL 2147483648 > MAXTTL, setting TTL to 0
> > Wouldn't that be confusing to the user? Shouldn't we fix the TTL value set
> > in
> > the entry as well?
> It is exactly what "original" BIND does. I would like to imitate the same
> behaviour if you are not against it strongly.
> I think that:
> 1) Somebody could use bind-dyndb-ldap with read-only access to LDAP.
> 2) It will unnecessarily complicate the code.
> Petr^2 Spacek
The patch looks good. I also agree with Peter's reasoning. There is also
an error logged when the TTL has MSB set, so one can notice there is a bad
TTL value set in LDAP.
More information about the Freeipa-devel