max-zone-ttl deprecation
stuart at registry.godaddy
stuart at registry.godaddy
Wed Feb 26 03:45:32 UTC 2025
With the deprecation of "max-zone-ttl" coming soon, noting comments about it being moved to the dnssec-policy statements, how can we stop an upstream zone from accepting a dynamic update with a TTL out of range?
Basic situation:
- Primary zone server, no DNSSEC policies
- Primary signing server, inline-signing with DNSSEC policies
- Primary/Secondary distribution server, no DNSSEC policies
Whilst the "max-zone-ttl" will be valid in the dnssec-policy present on the signing server, it doesn't stop the possibility of an out-of-range TTL being introduced in the primary zone server initially, which I believe will be too late to make any intelligent decisions.
Is the idea to create a do-nothing dnssec policy to have some method of enforcement?
Thoughts?
Stuart
More information about the bind-users
mailing list