Question about "max-zone-ttl" in dnssec-policy
Tom
lists at verreckte-cheib.ch
Tue Sep 21 13:11:30 UTC 2021
Hi Matthijs
Thank you for your explanation.
The documentation says, that "any record encountered with a TTL higher
than max-zone-ttl is capped at the maximum permissible TTL value".
Is the documentation wrong here?
Thank you.
Kind regards,
Tom
On 21.09.21 09:47, Matthijs Mekking wrote:
> Hi Tom,
>
> The max-zone-ttl is there to calculate the right timings for key
> rollovers. It won't alter the zone TTL values.
>
> You should set the max-zone-ttl to whatever the highest TTL is in your
> zone to make sure key rollovers timings are correct.
>
> This value exists until we have added code to the key manager that will
> read the zone's contents and detect the maximum TTL automatically.
>
> I hope this clarifies things.
>
> Best regards,
>
> Matthijs
>
>
> On 20-09-2021 17:47, Tom wrote:
>> Hi list
>>
>> Testing dnssec-policy with BIND-9.16.21:
>>
>> I'd like to better understand the "max-zone-ttl"-directive.
>> So I defined "max-zone-ttl 3600s;" within the dnssec-policy-options,
>> but when I configure the default zone TTL or even a ressource record
>> TTL higher than the "max-zone-ttl" (for example to 7200s), then it's
>> not capped, as described in the documentation.
>>
>> Look here:
>> - Within the dnssec-policy, I've defined "max-zone-ttl 3600;"
>> - The RR "www.example.com." has a TTL of 7200
>> - The server returns a TTL of 7200
>>
>> $ dig @192.168.1.10 www.example.com +dnssec +multi
>> ...
>> ...
>> ;; ANSWER SECTION:
>> www.example.com. 7200 IN A 127.0.0.1
>> www.example.com. 7200 IN RRSIG A 13 3 7200 (
>> 20211002202425 20210920143830 42786 example.com.
>> 3cprtWPAOwEuUvaiV5DKYWxhJHrdU6FL7Jk2+aNavOao
>> lTzQMKev2OF6TqPhXXfaHANIz+tiVhZaeaDCDagkSA== )
>> ...
>> ...
>>
>>
>> What do I misunderstand here?
>>
>> Many thanks for a hint.
>>
>> Kind regards,
>> Tom
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list