Fwd: Question about "max-zone-ttl" in dnssec-policy
Matthijs Mekking
matthijs at isc.org
Wed Sep 22 07:45:33 UTC 2021
Apologies, it appears that I sent this reply to Tom directly.
-------- Forwarded Message --------
Hi Tom,
That seems to be a copy paste error yes. Thanks for catching, will fix.
There is another max-zone-ttl option that is used to cap TTLs of records
added via dynamic updates.
Best regards,
Matthijs
On 21-09-2021 15:11, Tom wrote:
> Hi Matthijs
>
> Thank you for your explanation.
>
> The documentation says, that "any record encountered with a TTL higher
> than max-zone-ttl is capped at the maximum permissible TTL value".
>
> Is the documentation wrong here?
>
> Thank you.
> Kind regards,
> Tom
>
>
>
> On 21.09.21 09:47, Matthijs Mekking wrote:
>> Hi Tom,
>>
>> The max-zone-ttl is there to calculate the right timings for key
>> rollovers. It won't alter the zone TTL values.
>>
>> You should set the max-zone-ttl to whatever the highest TTL is in your
>> zone to make sure key rollovers timings are correct.
>>
>> This value exists until we have added code to the key manager that
>> will read the zone's contents and detect the maximum TTL automatically.
>>
>> I hope this clarifies things.
>>
>> Best regards,
>>
>> Matthijs
>>
>>
>> On 20-09-2021 17:47, Tom wrote:
>>> Hi list
>>>
>>> Testing dnssec-policy with BIND-9.16.21:
>>>
>>> I'd like to better understand the "max-zone-ttl"-directive.
>>> So I defined "max-zone-ttl 3600s;" within the dnssec-policy-options,
>>> but when I configure the default zone TTL or even a ressource record
>>> TTL higher than the "max-zone-ttl" (for example to 7200s), then it's
>>> not capped, as described in the documentation.
>>>
>>> Look here:
>>> - Within the dnssec-policy, I've defined "max-zone-ttl 3600;"
>>> - The RR "www.example.com." has a TTL of 7200
>>> - The server returns a TTL of 7200
>>>
>>> $ dig @192.168.1.10 www.example.com +dnssec +multi
>>> ...
>>> ...
>>> ;; ANSWER SECTION:
>>> www.example.com. 7200 IN A 127.0.0.1
>>> www.example.com. 7200 IN RRSIG A 13 3 7200 (
>>> 20211002202425 20210920143830 42786 example.com.
>>> 3cprtWPAOwEuUvaiV5DKYWxhJHrdU6FL7Jk2+aNavOao
>>> lTzQMKev2OF6TqPhXXfaHANIz+tiVhZaeaDCDagkSA== )
>>> ...
>>> ...
>>>
>>>
>>> What do I misunderstand here?
>>>
>>> Many thanks for a hint.
>>>
>>> Kind regards,
>>> Tom
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> ISC funds the development of this software with paid support
>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>> information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list