dnssec rookie question
Hugo Salgado
hsalgado at nic.cl
Mon Jan 10 16:04:50 UTC 2022
On 16:48 10/01, Danilo Godec via bind-users wrote:
> Hello,
>
>
> today I implemented DNSSEC for a domain - by that I mean that the DS records
> have been published / added to TLD DNS today, while the zone has been signed
> a couple of days ago.
>
>
> So a couple of hours later I went to https://dnsviz.net to see if everything
> seems OK and it reports one error and a couple of warnings. The error is:
>
>
> RRSIG sid.si/NSEC3PARAM alg 13, id 48018: The TTL of the RRset (3600) exceeds the value of the Original TTL field of the RRSIG RR covering it (0).
>
>
> But if I use /dig/ for, I get this:
>
> ;; ANSWER SECTION:
> sid.si. 3600 IN NSEC3PARAM 1 0 10 -
> sid.si. 3600 IN RRSIG NSEC3PARAM 13 2 0 20220205091303 20220106091303 48018 sid.si. WVstsjBLSQNS+PaKbR3LAAALG7tlV+cuzLYUKgWDXKrFnxe+dxx5Tmsa pYIrabwi/sANBgEBMHtW1Z3NS7hRow==
>
>
> Both records show TTL 3600 - which should be OK, I think? Where does
> dnsviz.net get that TTL 0?
>
That TTL is inside the rdata for the RRSIG. It says "... NSEC3PARAM
13 2 *0* ...". That 0 is the "original TTL" for the record.
So currently there's an inconsistency between the 3600 declared
in the TTL of the rrset, and the "original TTL" in the RRSIG.
Hugo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220110/2e1194ab/attachment.bin>
More information about the bind-users
mailing list