[Opendnssec-user] opendnssec: NSEC3PARAM TTL
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Sep 13 06:48:34 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Funny. The TTL for NSEC3PARAM was 0 in very early version of
OpenDNSSEC. However, it does not matter what the TTL is: according to
RFC 5155 the record is not used by validators or resolvers.
The standard also does not dictate any values for the NSEC3PARAM TTL,
so we decided to follow the normal TTL rules.
Best regards,
Matthijs
On 09/12/2012 11:32 PM, Paul Wouters wrote:
>
> Hi,
>
> I've almost reached the point where verification of an opendnssec
> and bind signed zone files are identical (after ldns-read-zone -0
> to strip out RRSIG and jitter)
>
> In bind, the NSEC3PARAM has a TTL of 0. In opendnssec, it gets the
> default ttl, in my case 3600.
>
> Since this record is kind of special, I think I agree with bind
> that we should not store it in any caches anywhere, and so a TTL=0
> seems to be the right value. I've attached a patch for this in
> opendnssec.
>
> Paul
>
>
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJQUYG8AAoJEA8yVCPsQCW59WcIAL9l97SIbbXKtiedt2Y93NKA
s0hzcEqDkwf55f7S6aXUUerkcFXJI1P3a1C8hJsZcj03Q3H8WecetIS/sQOzEObu
6z67HdrianD77tiiaEHjCd7JSPtCuKmOq+u+ZX7aeTec7GNEWUNlKomA/pDi4Gwb
1KZ5CHLeTcNhxAOLrNH3oEMsJJ1jvsUhCliPRGzZ0D7IXnk+IPRzqVC1rqF00zCQ
W9RsP/UTVoiVVapjnVasD+iw8AKImAjzCsraCklUU2yrA2qd+lw+B4nXF6DgBaAf
1Enc0dpYXXX0oDNh55ClOpExDDEEnPHJu5VOpyFrHX/v/hyhkFvJR1HpmyN5aHY=
=tyfR
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list