[dns-operations] Org Dnskey TTL
dknight at ca.afilias.info
Thu Jun 18 13:50:58 UTC 2009
On 17-Jun-09, at 8:28 PM, Mark Andrews wrote:
> In message <E807EEC1-6B38-40D9-9D13-8C9EF9B0E3CA at ca.afilias.info>,
> Dave Knight
>> Hi George,
>> On 17-Jun-09, at 11:25 AM, George Barwood wrote:
>>> dig dnskey +dnssec @a0.org.afilias-nst.info +norecurse
>>> seems to be is showing zero TTL for the Dnskey records.
>>> Am I confused or missing something, isn't this all wrong?
>> You are correct, this is a problem and we are aware of it.
>> Our DNSSEC signer appliance takes the TTL for the DNSKEY records and
>> their signatures from the TTL of the SOA. Until this weekend ORGs SOA
>> TTL was 0, it has now been changed to 900. We will do a followup
>> maintenance soon to correct the DNSKEY TTLs. I'll follow-up to the
>> list when that happens.
>> Thanks for your attention.
> Do you have packet traces similar to the ones in
We do, happy to make them available to OARC too.
> Why still a low a ttl for DNSKEY? I can understand for
> negative responses but changes to DNSKEY would have to be
> on the order of days anyway as that is what it takes to
> change trust anchors.
Our signer solution doesn't currently allow the TTL of these records
to be set individually, a fix for this is in the pipeline though.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations