[Opendnssec-develop] How to handle TTL < SOA Minimum

Alex Dalitz AlexD at nominet.org.uk
Fri Jul 23 08:38:11 UTC 2010


On 22 Jul 2010, at 13:00, Matthijs Mekking wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> In the process of moving the c based signer engine into trunk, I bumped
> into several issues, one being related to TTLs. I have a RR that has the
> TTL field omitted. The signer fills in the the SOA Minimum or the $TTL,
> if set. The auditor correctly pointed out that I should take the last
> explicit stated value instead.
> 
> Now it comes, this is a TTL that is lower than the SOA MINIMUM. How
> should we handle those TTLs? Must the signer use the explicit TTL or the
> SOA MINIMUM in this case? I think so.

I think so too.

> Such a change also has
> consequences for the auditor. Because the RR is changed, the current
> auditor will complain.

I will change the spec and implementation to deal with this (unless somebody else speaks up!).

> Also, it would be good to check if the DNSKEY TTL and SOA TTL in the
> signer configuration is equal or higher than the SOA Minimum
> configuration value.

Yes - I'll add that to the requirements and implementation.

Thanks,


Alex.


More information about the Opendnssec-develop mailing list