DS record TTL question.

Mark Andrews marka at isc.org
Thu Aug 9 05:47:17 UTC 2012


In message <CAOJ-cLjgjTJ_qm2PNfi3iV_0ZZfXESNK9uPuAhHr-SUkAhrTfg at mail.gmail.com>
, GS Bryan writes:
> Hmm... so what tool adds the DS key? I never use the dnssec-signzone
> tool, so that's not it right? What I want is for the DS record to its
> TTL the same as the rest of the zone entries.
> --
> Bryan S.G.

I don't know what tool you used.  If you are maintaining the records
by hand then you probably cut-and-pasted the records along with a
explicit TTL.  If you used nsupdate then the TTL was specified in
the update request.

Mark

> On Thu, Aug 9, 2012 at 1:26 PM, Mark Andrews <marka at isc.org> wrote:
> >
> > In message <CAEKtLiSEAkw-XskaeTgd7twkXUaxrkywYAkyBg2DE_16tRv61Q at mail.gmail.
> com>
> > , Casey Deccio writes:
> >>
> >> On Wed, Aug 8, 2012 at 9:36 AM, GS Bryan <chifuyu at anime.my> wrote:
> >>
> >> > My question is how can I control the TTL of the DS record inserted into 
> a
> >> > signed zone via inline signing? I'm using BIND 9.9.1 P2.
> >> >
> >> > My zone file has a default TTL of 3600 a.k.a. 1 hour, but it seems the 2
> >> > DS records put into the signed version of the zone has the TTL of 1 day.
>  I
> >> > would like that the zone default TTL be obeyed when the DS records are
> >> > being inserted during inline signing.
> >> >
> >>
> >> I don't know about BIND's default behavior for DS TTL or its options for
> >> customizing the TTL, but according to RFC 4035 (Section 2.4):
> >>
> >> The TTL of a DS RRset SHOULD match the TTL of the delegating NS RRset
> >>    (that is, the NS RRset from the same zone containing the DS RRset).
> >>
> >> Casey
> >
> > Named doesn't add DS record as part of the inline signing process.
> >
> > You need to look at the tool used to add the DS records.
> >
> > Inline signing adds DNSKEY, NSEC, NSEC3 and NSEC3PARAM records.  DS
> > is just data as far as inline signing is concerned.
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list