Question about "max-zone-ttl" in dnssec-policy
Matthijs Mekking
matthijs at isc.org
Tue Sep 21 07:47:05 UTC 2021
Hi Tom,
The max-zone-ttl is there to calculate the right timings for key
rollovers. It won't alter the zone TTL values.
You should set the max-zone-ttl to whatever the highest TTL is in your
zone to make sure key rollovers timings are correct.
This value exists until we have added code to the key manager that will
read the zone's contents and detect the maximum TTL automatically.
I hope this clarifies things.
Best regards,
Matthijs
On 20-09-2021 17:47, Tom wrote:
> Hi list
>
> Testing dnssec-policy with BIND-9.16.21:
>
> I'd like to better understand the "max-zone-ttl"-directive.
> So I defined "max-zone-ttl 3600s;" within the dnssec-policy-options, but
> when I configure the default zone TTL or even a ressource record TTL
> higher than the "max-zone-ttl" (for example to 7200s), then it's not
> capped, as described in the documentation.
>
> Look here:
> - Within the dnssec-policy, I've defined "max-zone-ttl 3600;"
> - The RR "www.example.com." has a TTL of 7200
> - The server returns a TTL of 7200
>
> $ dig @192.168.1.10 www.example.com +dnssec +multi
> ...
> ...
> ;; ANSWER SECTION:
> www.example.com. 7200 IN A 127.0.0.1
> www.example.com. 7200 IN RRSIG A 13 3 7200 (
> 20211002202425 20210920143830 42786 example.com.
> 3cprtWPAOwEuUvaiV5DKYWxhJHrdU6FL7Jk2+aNavOao
> lTzQMKev2OF6TqPhXXfaHANIz+tiVhZaeaDCDagkSA== )
> ...
> ...
>
>
> What do I misunderstand here?
>
> Many thanks for a hint.
>
> Kind regards,
> Tom
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list