[dns-operations] Org Dnskey TTL
Mark Andrews
marka at isc.org
Thu Jun 18 00:28:43 UTC 2009
In message <E807EEC1-6B38-40D9-9D13-8C9EF9B0E3CA at ca.afilias.info>, Dave Knight
writes:
> Hi George,
>
> On 17-Jun-09, at 11:25 AM, George Barwood wrote:
>
> > dig dnskey +dnssec @a0.org.afilias-nst.info +norecurse
> >
> > seems to be is showing zero TTL for the Dnskey records.
> >
> > Am I confused or missing something, isn't this all wrong?
>
> You are correct, this is a problem and we are aware of it.
>
> Our DNSSEC signer appliance takes the TTL for the DNSKEY records and
> their signatures from the TTL of the SOA. Until this weekend ORGs SOA
> TTL was 0, it has now been changed to 900. We will do a followup
> maintenance soon to correct the DNSKEY TTLs. I'll follow-up to the
> list when that happens.
>
> Thanks for your attention.
>
> dave
> Afilias
Do you have packet traces similar to the ones in
wessels_light_N46.pdf?
Why still a low a ttl for DNSKEY? I can understand for
negative responses but changes to DNSKEY would have to be
on the order of days anyway as that is what it takes to
change trust anchors.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list