[dns-operations] Org Dnskey TTL

Mark Andrews marka at isc.org
Thu Jun 18 00:28:43 UTC 2009

In message <E807EEC1-6B38-40D9-9D13-8C9EF9B0E3CA at ca.afilias.info>, Dave Knight 
> Hi George,
> On 17-Jun-09, at 11:25 AM, George Barwood wrote:
> > dig dnskey +dnssec @a0.org.afilias-nst.info +norecurse
> >
> > seems to be is showing zero TTL for the Dnskey records.
> >
> > Am I confused or missing something, isn't this all wrong?
> You are correct, this is a problem and we are aware of it.
> Our DNSSEC signer appliance takes the TTL for the DNSKEY records and  
> their signatures from the TTL of the SOA. Until this weekend ORGs SOA  
> TTL was 0, it has now been changed to 900. We will do a followup  
> maintenance soon to correct the DNSKEY TTLs. I'll follow-up to the  
> list when that happens.
> Thanks for your attention.
> dave
> Afilias

	Do you have packet traces similar to the ones in

	Why still a low a ttl for DNSKEY?  I can understand for
	negative responses but changes to DNSKEY would have to be
	on the order of days anyway as that is what it takes to
	change trust anchors.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list