DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL

[Tony Finch]

Александр Остапенко <aleks.ostapenko.post at gmail.com> wrote:

> Thanks for a workaround. But in this case - after "dnssec-settime -L ttl" I
> need unsign/sign zone (p.1 of steps above) in order to new TTL value
> appeared in DNSKEY RRset ("service bind9 reload" or "rndc loadkeys" has no
> effect). But I would like to find a solution without the need of
> unsigning/signing cycle.

You might be able to change the TTL using `nsupdate`, but I'm not
confident it'll work - the update has to delete all the DNSKEY records
then re-add them, so it might end up unsigning and resigning the zone.
(If `named` can't change the TTL directly and you do not have
"dnssec-secure-to-insecure yes;" the update will be rejected.)

The other option is to freeze the zone, manually edit the TTL in the
signed master file, then unfreeze.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
German Bight, Humber, Thames, Dover: Southwest 5 or 6, becoming variable 3 or
4 later. Slight or moderate. Rain, fair later. Moderate or good, occasionally
poor.