[Opendnssec-develop] TTL for signatures
Yuri Schaeffer
yuri at nlnetlabs.nl
Thu Aug 11 11:39:37 UTC 2011
Hi,
In Yesterday's call we discussed the kasp.xml must include some
parameter for the worst case TTL of the zonedata. I see two options for
including this in the XML:
<KASP>
..<Policy>
....<Signatures>
......<TTL>****</TTL>
....<Zone>
......<TTL>****</TTL>
KASP.Policy.Signatures.TTL
con: The RRSIG record does *not* actually get published this TTL (but
rather the TTL of the it signs). Thus confusing.
Pro: It *is* the TTL the enforcer will use in any case. Thus the
effective TTL for signatures, even if published otherwise.
KASP.Policy.Zone.TTL
pro: More accurate. It is the (max) TTL of data in the zone.
con: User might think has RRs will be published with this TTL.
I think we should go for the second option. Apart from that, MaxZoneTTL
might be a better name than just TTL.
//yuri
More information about the Opendnssec-develop
mailing list