Question about "max-zone-ttl" in dnssec-policy

Tom lists at verreckte-cheib.ch
Mon Sep 20 15:47:52 UTC 2021


Hi list

Testing dnssec-policy with BIND-9.16.21:

I'd like to better understand the "max-zone-ttl"-directive.
So I defined "max-zone-ttl 3600s;" within the dnssec-policy-options, but 
when I configure the default zone TTL or even a ressource record TTL 
higher than the "max-zone-ttl" (for example to 7200s), then it's not 
capped, as described in the documentation.

Look here:
- Within the dnssec-policy, I've defined "max-zone-ttl 3600;"
- The RR "www.example.com." has a TTL of 7200
- The server returns a TTL of 7200

$ dig @192.168.1.10 www.example.com +dnssec +multi
...
...
;; ANSWER SECTION:
www.example.com.	7200 IN A 127.0.0.1
www.example.com.	7200 IN RRSIG A 13 3 7200 (
				20211002202425 20210920143830 42786 example.com.
				3cprtWPAOwEuUvaiV5DKYWxhJHrdU6FL7Jk2+aNavOao
				lTzQMKev2OF6TqPhXXfaHANIz+tiVhZaeaDCDagkSA== )
...
...


What do I misunderstand here?

Many thanks for a hint.

Kind regards,
Tom


More information about the bind-users mailing list