[dns-operations] Org Dnskey TTL

Dave Knight dknight at ca.afilias.info
Thu Jun 18 13:50:58 UTC 2009


On 17-Jun-09, at 8:28 PM, Mark Andrews wrote:

>
> In message <E807EEC1-6B38-40D9-9D13-8C9EF9B0E3CA at ca.afilias.info>,  
> Dave Knight
> writes:
>> Hi George,
>>
>> On 17-Jun-09, at 11:25 AM, George Barwood wrote:
>>
>>> dig dnskey +dnssec @a0.org.afilias-nst.info +norecurse
>>>
>>> seems to be is showing zero TTL for the Dnskey records.
>>>
>>> Am I confused or missing something, isn't this all wrong?
>>
>> You are correct, this is a problem and we are aware of it.
>>
>> Our DNSSEC signer appliance takes the TTL for the DNSKEY records and
>> their signatures from the TTL of the SOA. Until this weekend ORGs SOA
>> TTL was 0, it has now been changed to 900. We will do a followup
>> maintenance soon to correct the DNSKEY TTLs. I'll follow-up to the
>> list when that happens.
>>
>> Thanks for your attention.
>>
>> dave
>> Afilias
>
> 	Do you have packet traces similar to the ones in
> 	wessels_light_N46.pdf?

We do, happy to make them available to OARC too.


> 	Why still a low a ttl for DNSKEY?  I can understand for
> 	negative responses but changes to DNSKEY would have to be
> 	on the order of days anyway as that is what it takes to
> 	change trust anchors.

Our signer solution doesn't currently allow the TTL of these records  
to be set individually, a fix for this is in the pipeline though.


dave
Afilias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090618/5d6e5c33/attachment.html>


More information about the dns-operations mailing list