DS record TTL question.

Mark Andrews marka at isc.org
Thu Aug 9 05:26:38 UTC 2012

In message <CAEKtLiSEAkw-XskaeTgd7twkXUaxrkywYAkyBg2DE_16tRv61Q at mail.gmail.com>
, Casey Deccio writes:
> On Wed, Aug 8, 2012 at 9:36 AM, GS Bryan <chifuyu at anime.my> wrote:
> > My question is how can I control the TTL of the DS record inserted into a
> > signed zone via inline signing? I'm using BIND 9.9.1 P2.
> >
> > My zone file has a default TTL of 3600 a.k.a. 1 hour, but it seems the 2
> > DS records put into the signed version of the zone has the TTL of 1 day. I
> > would like that the zone default TTL be obeyed when the DS records are
> > being inserted during inline signing.
> >
> I don't know about BIND's default behavior for DS TTL or its options for
> customizing the TTL, but according to RFC 4035 (Section 2.4):
> The TTL of a DS RRset SHOULD match the TTL of the delegating NS RRset
>    (that is, the NS RRset from the same zone containing the DS RRset).
> Casey

Named doesn't add DS record as part of the inline signing process.

You need to look at the tool used to add the DS records.

Inline signing adds DNSKEY, NSEC, NSEC3 and NSEC3PARAM records.  DS
is just data as far as inline signing is concerned.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list