nsupdate, dnssec, minimum ttl

Eric Ham ericham at usc.edu
Thu Jun 17 19:10:17 UTC 2010 

I'm using 9.7.0-P2 to test with dynamic updates via nsupdate along with 
setting up dnssec. So far my tests are working well with dynamic updates 
and validation of the dnssec records, but I have a question on how the 
TTL is set for the NSEC and RRSIG NSEC records.

As a test, when I do the following update:

nsupdate
 > ttl 7200
 > update add ldap5.example.com CNAME ldap.example.com
 > send

I then see the following set of entries via named-journalprint with the 
respective TTLs.

add ldap5.example.com. 7200    IN      CNAME   ldap.example.com.
add ldap5.example.com. 7200    IN      RRSIG   CNAME 5 3 7200 ...
add ldap5.example.com. 86400   IN      RRSIG   NSEC 5 3 86400 ...
add ldap4.example.com. 86400   IN      RRSIG   NSEC 5 3 86400 ...
add ldap4.example.com. 86400   IN      NSEC    ldap5.example.com. CNAME 
RRSIG NSEC
add ldap5.example.com. 86400   IN      NSEC    ldp.example.com. CNAME 
RRSIG NSEC

It would appear that the NSEC and RRSIG NSEC TTLs are set to my 
example.com zone's minimum TTL which is 86400 instead of inheriting the 
TTL I set of 7200.

Is this the expected behavior? I guess I was hoping that since nsupdate 
was auto creating the NSEC and RRSIG NSEC records for me, that it would 
inherit the "ttl 7200" value.

Regards,
-Eric

More information about the bind-users mailing list