[dns-operations] Org Dnskey TTL
marka at isc.org
Thu Jun 18 00:28:43 UTC 2009
In message <E807EEC1-6B38-40D9-9D13-8C9EF9B0E3CA at ca.afilias.info>, Dave Knight
> Hi George,
> On 17-Jun-09, at 11:25 AM, George Barwood wrote:
> > dig dnskey +dnssec @a0.org.afilias-nst.info +norecurse
> > seems to be is showing zero TTL for the Dnskey records.
> > Am I confused or missing something, isn't this all wrong?
> You are correct, this is a problem and we are aware of it.
> Our DNSSEC signer appliance takes the TTL for the DNSKEY records and
> their signatures from the TTL of the SOA. Until this weekend ORGs SOA
> TTL was 0, it has now been changed to 900. We will do a followup
> maintenance soon to correct the DNSKEY TTLs. I'll follow-up to the
> list when that happens.
> Thanks for your attention.
Do you have packet traces similar to the ones in
Why still a low a ttl for DNSKEY? I can understand for
negative responses but changes to DNSKEY would have to be
on the order of days anyway as that is what it takes to
change trust anchors.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations