[Opendnssec-user] Set a very low TTL for a label

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Dec 19 14:40:00 UTC 2013


On 12/19/2013 02:04 PM, Ondřej Caletka wrote:
> Hi,
> Dne 19.12.2013 11:27, Matthijs Mekking napsal(a):
>> Something like that is not possible: All NSEC3 records TTL will be set
>> to SOA minimum value without exceptions. But if you only going to change
>> the record (not removing or adding names), you don't need to worry about
>> the NSEC3 records TTL.
>> I think you can just lower the TTL in the unsigned zone of the specific
>> domain name before changing the IP address.
> If I change the TTL to lower value than Minimum TTL in KASP, it is
> clamped during the signing to the minimum TTL value. So I have to edit
> KASP to lower minimum TTL and resign the zone. After changing back to
> normal TTL, I should probably edit KASP again and set minimum TTL back
> to some reasonable value.

Setting a record to a low value (10) works for me with 1.3.2. My SOA
Minimum is 3600 and but the TTl of the specific record is 10.

If it does not work for you, please file a bug report and provide an
example unsigned zone file and your kasp.xml.

Best regards,

> There should be a better way to do that.
> --
> Ondřej Caletka
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list