[Opendnssec-develop] How to handle TTL < SOA Minimum
AlexD at nominet.org.uk
Fri Jul 23 08:38:11 UTC 2010
On 22 Jul 2010, at 13:00, Matthijs Mekking wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> In the process of moving the c based signer engine into trunk, I bumped
> into several issues, one being related to TTLs. I have a RR that has the
> TTL field omitted. The signer fills in the the SOA Minimum or the $TTL,
> if set. The auditor correctly pointed out that I should take the last
> explicit stated value instead.
> Now it comes, this is a TTL that is lower than the SOA MINIMUM. How
> should we handle those TTLs? Must the signer use the explicit TTL or the
> SOA MINIMUM in this case? I think so.
I think so too.
> Such a change also has
> consequences for the auditor. Because the RR is changed, the current
> auditor will complain.
I will change the spec and implementation to deal with this (unless somebody else speaks up!).
> Also, it would be good to check if the DNSKEY TTL and SOA TTL in the
> signer configuration is equal or higher than the SOA Minimum
> configuration value.
Yes - I'll add that to the requirements and implementation.
More information about the Opendnssec-develop