[Opendnssec-develop] MaxZoneTTL

Yuri Schaeffer yuri at NLnetLabs.nl
Tue Nov 29 15:03:20 UTC 2011

So I've been digging through the original Enforcer's code (a bit). And I
could not find the value used for the TTLs over the zonedata.

Then it hit me (Sion, correct me if wrong). The original enforcer does
not use nor need that data. Since the only rollover for a ZSK is one
that introduces the DNSKEY first and only then the signatures. The
signer does a /smooth/ rollover, thus the signature *lifetime* is the
only limiting factor.

So picking any default value for MaxZoneTTL is not going to break
consistency between the two implementations. Question is, what is a good
value? (The signer will also use this value, as a cap on the ttl).

I consulted my two nearest DNS experts and we agreed on 24 hours. Does
anyone have thoughts on this?


PS. While typing this I realized the original enforcer does infact need
this value when start signing a previously unsigned zone. At the very
least the DS must wait one Zonedata TTL. Sion, could you help me find
out what this value is?

Yuri Schaeffer
NLnet Labs

More information about the Opendnssec-develop mailing list