[Opendnssec-develop] Missing TTLs in zone files
roy at nominet.org.uk
Mon Oct 19 10:51:43 UTC 2009
Stephen Morris wrote on 10/19/2009 12:44:47 PM:
> Ray.Bellis at nominet.org.uk wrote on 19/10/2009 11:34:13:
> > > Hi Ray,
> > >
> > > Where do modern implementations get their 'default TTL' value from
> > > if the per record TTL and TTL directives are omitted?
> > Damned good question. RFC 2308 appears to be silent on that
> issue, except to say:
> > "Where a server does not require RRs to include the TTL value
> explicitly, it
> > should provide a mechanism, ** not being the value of the MINIMUM
> field of the
> > SOA record **, from which the missing TTL values are obtained."
> (my emphasis).
> > Ray
> Two options:
> 1) Add an entry in the policy configuration file to specify a
> default TTL. (This fits in with the idea of "providing a mechanism
> from which the missing TTL values are obtained".)
> 2) Flag it as an error. If a user is telling OpenDNSSEC to sign a
> zone and hasn't specified a TTL, and OpenDNSSEC doesn't allow a
> default TTL to be specified, how can the user expect to get anything
> other than a random value?
> Although my gut instinct is to go for (2), I think (1) might be more
> acceptable, especially in the case of thousands of zones all being
> signed using the same policy.
3) In absence of an explicit TTL and a $TTL directive, the SOA Minimum
value is used. That is what all modern implementations use. I think the
default behavior of BIND (i.e. named, and several of its tools), is to
still use the "SOA Minimum Field", issue a notice, and move on. For
instance named-compilezone compiles the following zone:
@ IN SOA a a 111 2222 3333 4444 5555
a A 22.214.171.124
issues the following information:
/usr/sbin/named-compilezone -o example.zone example example.file
example.file:1: no TTL specified; using SOA MINTTL instead
zone example/IN: loaded serial 111
dump zone to example.zone...done
which results in the following zone:
example. 5555 IN SOA a.example. a.example. 111 2222 3333 4444 5555
example. 5555 IN NS a.example.
a.example. 5555 IN A 126.96.36.199
This way lies in the path of least surprise.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-develop