nsupdate, dnssec, minimum ttl
Mark Andrews
marka at isc.org
Fri Jun 18 01:42:57 UTC 2010
In message <4C1A7319.3010903 at usc.edu>, Eric Ham writes:
> I'm using 9.7.0-P2 to test with dynamic updates via nsupdate along with
> setting up dnssec. So far my tests are working well with dynamic updates
> and validation of the dnssec records, but I have a question on how the
> TTL is set for the NSEC and RRSIG NSEC records.
>
> As a test, when I do the following update:
>
> nsupdate
> > ttl 7200
> > update add ldap5.example.com CNAME ldap.example.com
> > send
>
> I then see the following set of entries via named-journalprint with the
> respective TTLs.
>
> add ldap5.example.com. 7200 IN CNAME ldap.example.com.
> add ldap5.example.com. 7200 IN RRSIG CNAME 5 3 7200 ...
> add ldap5.example.com. 86400 IN RRSIG NSEC 5 3 86400 ...
> add ldap4.example.com. 86400 IN RRSIG NSEC 5 3 86400 ...
> add ldap4.example.com. 86400 IN NSEC ldap5.example.com. CNAME
> RRSIG NSEC
> add ldap5.example.com. 86400 IN NSEC ldp.example.com. CNAME
> RRSIG NSEC
>
> It would appear that the NSEC and RRSIG NSEC TTLs are set to my
> example.com zone's minimum TTL which is 86400 instead of inheriting the
> TTL I set of 7200.
>
> Is this the expected behavior? I guess I was hoping that since nsupdate
> was auto creating the NSEC and RRSIG NSEC records for me, that it would
> inherit the "ttl 7200" value.
Yes. Negative response TTL is set from the SOA minimum field (RFC 2308).
NSEC and NSEC3 records prove negative responses.
> Regards,
> -Eric
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list