DNSSEC upgrade

Tony Finch dot at dotat.at
Fri Apr 30 18:15:00 UTC 2021

Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> One question however it talk about longest TTL, does this mean also root
> TLD zones (.com, .net) which from memory are 48 hours, so before we delete
> old keys we need wait 48 hours, even though our zone TTL was 24 ?

When you are waiting after adding and signing with the new keys and before
swapping the DS records, it's only the longest TTL in your own zone that
matters. In my notes I call this the "child TTL" because the root and TLD
etc. don't matter.


When you're waiting for the DS TTL it's only the TTL of that particular
record that matters. (It's in the parent zone so I called it the parent
TTL.) To be sure you are getting the right number you will need something

	dig +ttlunits example.com ds @$(dig +short com ns | head -1)

i.e. pick one of the nameservers of the parent zone and ask it for your
zone's DS record, so you don't get mislead by decremented cached TTLs.
Note the DS TTL is often not the same as the parent NS or glue TTL.

> Thank you, wow much much easy than I hoped for :-)

I'm happy it helped!

f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
Biscay: North, backing northwest later, 2 to 4, occasionally 5 later
in east. Slight. Showers. Good.

More information about the bind-users mailing list