nsupdate, dnssec, minimum ttl

[Mark Andrews]

In message <4C1A7319.3010903 at usc.edu>, Eric Ham writes:
> I'm using 9.7.0-P2 to test with dynamic updates via nsupdate along with 
> setting up dnssec. So far my tests are working well with dynamic updates 
> and validation of the dnssec records, but I have a question on how the 
> TTL is set for the NSEC and RRSIG NSEC records.
> 
> As a test, when I do the following update:
> 
> nsupdate
>  > ttl 7200
>  > update add ldap5.example.com CNAME ldap.example.com
>  > send
> 
> I then see the following set of entries via named-journalprint with the 
> respective TTLs.
> 
> add ldap5.example.com. 7200    IN      CNAME   ldap.example.com.
> add ldap5.example.com. 7200    IN      RRSIG   CNAME 5 3 7200 ...
> add ldap5.example.com. 86400   IN      RRSIG   NSEC 5 3 86400 ...
> add ldap4.example.com. 86400   IN      RRSIG   NSEC 5 3 86400 ...
> add ldap4.example.com. 86400   IN      NSEC    ldap5.example.com. CNAME 
> RRSIG NSEC
> add ldap5.example.com. 86400   IN      NSEC    ldp.example.com. CNAME 
> RRSIG NSEC
> 
> It would appear that the NSEC and RRSIG NSEC TTLs are set to my 
> example.com zone's minimum TTL which is 86400 instead of inheriting the 
> TTL I set of 7200.
> 
> Is this the expected behavior? I guess I was hoping that since nsupdate 
> was auto creating the NSEC and RRSIG NSEC records for me, that it would 
> inherit the "ttl 7200" value.

Yes.  Negative response TTL is set from the SOA minimum field (RFC 2308).
NSEC and NSEC3 records prove negative responses.
 
> Regards,
> -Eric
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org