[Opendnssec-user] SOA TTL behaviour

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Sep 11 08:10:01 UTC 2012


Hi Paul,

The core design of OpenDNSSEC exists of two daemons, the enforcer and
the signer. The enforcer takes care of key management, the signer takes
care of zone management. We made the decision that the enforcer should
not have access to the zone contents. But some zone parameters are
needed in order to implement the correct timings for key rollovers. The
SOA TTL is used to calculate the time RRsets can end up in the NCACHE:

	min(SOA TTL, SOA MINIMUM)

Best regards,
  Matthijs


On 09/11/2012 12:26 AM, Paul Wouters wrote:
> 
> While investigating why a bind signer and an opendnssec signer ended up
> with a different SOA record from the same unsigned zone, I found that
> opendnssec modified the SOA's TTL.
> 
> It's behaviour is defined in the kasp.xml <SOA> section that provides
> the override, but does not seem to have an option "keep" (like it does
> for the serial)
> 
> I would prefer to not have to hardcode a TTL value outside of the
> unsigned zone file. If this ever changes, someone will forget to
> update the kasp.xml to match the unsigned zonefile's SOA TTL value.
> 
> Is there a reason why opendnssec wants to take over control of this
> value?
> 
> Paul
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120911/121b27bd/attachment.bin>


More information about the Opendnssec-user mailing list