[Opendnssec-develop] How to handle TTL < SOA Minimum

Matthijs Mekking matthijs at NLnetLabs.nl
Thu Jul 22 12:00:37 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

In the process of moving the c based signer engine into trunk, I bumped
into several issues, one being related to TTLs. I have a RR that has the
TTL field omitted. The signer fills in the the SOA Minimum or the $TTL,
if set. The auditor correctly pointed out that I should take the last
explicit stated value instead.

Now it comes, this is a TTL that is lower than the SOA MINIMUM. How
should we handle those TTLs? Must the signer use the explicit TTL or the
SOA MINIMUM in this case? I think so. Such a change also has
consequences for the auditor. Because the RR is changed, the current
auditor will complain.

Also, it would be good to check if the DNSKEY TTL and SOA TTL in the
signer configuration is equal or higher than the SOA Minimum
configuration value.


Best regards,

Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMSDLlAAoJEA8yVCPsQCW5lUQIAK4+j5tiSYworrLZ/YSvXAQj
kt2SjZ//zZs71Jw+mnSsLmU/Z+SkETrw1196UPa2DyBgYp1GiL6+1qo4zjfO2o9N
+b5v4VbDZhyg6R00mjRdEQLahW0b5peiv2cYVnEvIUfvtZReLKe7NawHH5vbgzZM
f9GtdRu6rDRVtwQYWxyurMZxH4p30dVWdOMVZ8esnTlXA8jC2vwyNszwoPfq8WxQ
9WtxGFnfqz0MIOnYk1Grl9EmSsfEvQWmhPsIAsTwG7gah9tz/2rXoMEX+LMCyH12
rlCO1+KHrkmJkFdeond4HCEzCA0u6d4x2RLO3YQea8vOu2d8a/jhZ6gPeWq0lZU=
=Pcbd
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list