[dns-operations] Org Dnskey TTL
Dave Knight
dknight at ca.afilias.info
Thu Jun 18 13:50:58 UTC 2009
On 17-Jun-09, at 8:28 PM, Mark Andrews wrote:
>
> In message <E807EEC1-6B38-40D9-9D13-8C9EF9B0E3CA at ca.afilias.info>,
> Dave Knight
> writes:
>> Hi George,
>>
>> On 17-Jun-09, at 11:25 AM, George Barwood wrote:
>>
>>> dig dnskey +dnssec @a0.org.afilias-nst.info +norecurse
>>>
>>> seems to be is showing zero TTL for the Dnskey records.
>>>
>>> Am I confused or missing something, isn't this all wrong?
>>
>> You are correct, this is a problem and we are aware of it.
>>
>> Our DNSSEC signer appliance takes the TTL for the DNSKEY records and
>> their signatures from the TTL of the SOA. Until this weekend ORGs SOA
>> TTL was 0, it has now been changed to 900. We will do a followup
>> maintenance soon to correct the DNSKEY TTLs. I'll follow-up to the
>> list when that happens.
>>
>> Thanks for your attention.
>>
>> dave
>> Afilias
>
> Do you have packet traces similar to the ones in
> wessels_light_N46.pdf?
We do, happy to make them available to OARC too.
> Why still a low a ttl for DNSKEY? I can understand for
> negative responses but changes to DNSKEY would have to be
> on the order of days anyway as that is what it takes to
> change trust anchors.
Our signer solution doesn't currently allow the TTL of these records
to be set individually, a fix for this is in the pipeline though.
dave
Afilias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090618/5d6e5c33/attachment.html>
More information about the dns-operations
mailing list