[Opendnssec-develop] Missing TTLs in zone files

Roy Arends roy at nominet.org.uk
Mon Oct 19 10:51:43 UTC 2009

Stephen Morris wrote on 10/19/2009 12:44:47 PM:
> Ray.Bellis at nominet.org.uk wrote on 19/10/2009 11:34:13:
> > > Hi Ray, 
> > > 
> > > Where do modern implementations get their 'default TTL' value from 
> > > if the per record TTL and TTL directives are omitted? 
> > 
> > Damned good question.  RFC 2308 appears to be silent on that 
> issue, except to say: 
> > 
> > "Where a server does not require RRs to include the TTL value 
> explicitly, it 
> > should provide a mechanism, ** not being the value of the MINIMUM 
> field of the
> > SOA record **, from which the missing TTL values are obtained." 
> (my emphasis). 
> > 
> > Ray 
> Two options: 
> 1) Add an entry in the policy configuration file to specify a 
> default TTL. (This fits in with the idea of "providing a mechanism 
> from which the missing TTL values are obtained".) 
> 2) Flag it as an error.  If a user is telling OpenDNSSEC to sign a 
> zone and hasn't specified a TTL, and OpenDNSSEC doesn't allow a 
> default TTL to be specified, how can the user expect to get anything
> other than a random value? 
> Although my gut instinct is to go for (2), I think (1) might be more
> acceptable, especially in the case of thousands of zones all being 
> signed using the same policy. 

How about 

3) In absence of an explicit TTL and a $TTL directive, the SOA Minimum 
value is used. That is what all modern implementations use. I think the 
default behavior of BIND (i.e. named, and several of its tools), is to 
still use the "SOA Minimum Field", issue a notice, and move on. For 
instance named-compilezone compiles the following zone:

@ IN SOA a a 111 2222 3333 4444 5555 
  NS a
a A

issues the following information:

/usr/sbin/named-compilezone -o example.zone example example.file 
  example.file:1: no TTL specified; using SOA MINTTL instead
  zone example/IN: loaded serial 111
  dump zone to example.zone...done

which results in the following zone:

example. 5555 IN SOA a.example. a.example. 111 2222 3333 4444 5555
example. 5555 IN NS     a.example.
a.example. 5555 IN A

This way lies in the path of least surprise.

Kind regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091019/42bb785c/attachment.htm>

More information about the Opendnssec-develop mailing list