DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL
Thomas Schulz
schulz at adi.com
Thu Aug 25 17:28:11 UTC 2016
> In message <CAMUgSQDxY_BnEgnAe4eQpoV_cHb7ScZ=qxT_-4CVW3nLokctag at mail.gmail.com>
> , =?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGAINCe0YHRgtCw0L/QtdC90LrQvg==?= writes:
> > Hello.
> >
> > I'm using BIND 9.9.5.
> > My steps:
> >
> > 1. Sign zone using one 1 ZSK and 2 KSK: a) adding "*auto-dnssec
> > maintain;*" and "*inline-signing yes;*" directive into zone section of
> > named.conf; b) setting publication and activation timestamps to current
> > time in key files; c) *rndc reload*.
> > 2. Change TTL value in the zone file ($TTL 86400 ==> $TTL 432000).
> > 3. Increase serial number in SOA record by 1.
> > 4. *rndc reload*.
> >
> > After that - DNSKEY and RRSIG DNSKEY records still have 86400 value in TTL
> > (checked via *dig*).
> > What could be the reason for such behavior?
When you use inline-signing yes, Bind increments the effictive serial number
each time it makes a change in the zone as published. So the serial number
actually being used is likely more that 1 more than the serial number in the
zone file. So perhaps you should use dig to find the published serial number
and then set the number in the zone file to be greater than that.
> > Kind regards,
> > Aleks Ostapenko
>
> Use "dnssec-settime -L ttl"
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
Tom Schulz
Applied Dynamics Intl.
schulz at adi.com
More information about the bind-users
mailing list