[Opendnssec-user] TTL changed by signer -- why and what pattern?

Rick van Rein rick at openfortress.nl
Wed Jun 27 11:25:19 UTC 2012


A while back, I tried to set a TTL to 300, for quickly swapping a web server
from an old location to a new.  I was surprised to see that OpenDNSSEC signed
the record but set the TTL to 7200.  On another OpenDNSSEC system, we found
that that system's MX record's TTL was not changed, but an A or AAAA record

What is the *reason* behind setting a higher TTL?  Is it to offload the name
servers and caches?  I would assume that this can be left to the administrator
of the zone, i.o.w. that the TTL from the unsigned zone could be replicated?

Note that I am not saying anything about signature validity -- as long as
the TTL is the same on the record and signature, that oughtn't give a
problem -- right?

What is the *logic* that is used to change the TTL?  I mean, with possibly
different treatment of MX and A/AAAA records, I find it hard to see what is
done in general.


More information about the Opendnssec-user mailing list