[Opendnssec-user] Set a very low TTL for a label

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Dec 19 10:27:13 UTC 2013


On 12/19/2013 10:15 AM, Ondřej Caletka wrote:
> Hi,
> I'm using OpenDNSSEC 1.3.2. I'm trying to set a very low TTL (like 60)
> for one label in the zone (the IP address is going to change and I want
> to minimize downtime). I noticed, that in the signed file, all TTLs are
> clamped to the SOA minimum value set in KASP. When I lowered that value,
> all RRSIG and NSEC3 records in the zone were set to this lowest TTL.
> Is it somehow possible to lower TTL of only one label (and probably the
> nearest neighbours in the NSEC3 chain) without affecting all the
> signatures in the zone?

Something like that is not possible: All NSEC3 records TTL will be set
to SOA minimum value without exceptions. But if you only going to change
the record (not removing or adding names), you don't need to worry about
the NSEC3 records TTL.

I think you can just lower the TTL in the unsigned zone of the specific
domain name before changing the IP address.

Best regards,

> Ragards,
> Ondřej Caletka,
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list