[Opendnssec-user] TTL for NS records at the parent should match the DS TTL

Michael Grimm trashcan at odo.in-berlin.de
Tue Feb 10 18:28:17 UTC 2015 

Hi --

I recently implemented DNSSEC some of my domains (in .net and .de). For getting key management done I installed OpenDNSSEC. 

As far as I and all those available services like http://www.nabber.org/projects/dnscheck/ can tell, all my domains are effectively secured, now. 

There is on issue left that I could not solve on my own, yet, and that is the complaint from the nabber.org tool:

|	example.net.	172800	IN	NS	ns.example.net.
|	example.net.	86400	IN	DS	12345 8 1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|		C
|	example.net.	172800	IN	NS	sns.example.net.
|	example.net.	86400	IN	DS	12345 8 1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|		C
|	According to RFC 4035, the TTL for NS records at the parent should match the DS TTL.

Yes, and I can confirm that complaint by drill and alike, e.g:

|	drill -D example.net @ @a.gtld-servers.net
|	;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 35135
|	;; flags: qr rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6 
|	;; QUESTION SECTION:
|	;; example.net.	IN	NS
|
|	;; ANSWER SECTION:
|
|	;; AUTHORITY SECTION:
|	example.net.	172800	IN	NS	ns.example.net.
|	example.net.	172800	IN	NS	sns.example.net.
|	example.net.	86400	IN	DS	12345 8 1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

If I do understand the documentation of https://wiki.opendnssec.org/display/DOCS/kasp.xml correctly, then I should be able to set those TTL at the parent to my needs. Those were the default settings in my kasp.xml (policy default, and that's the one I am using for my domains):

|       <Parent>
|           <PropagationDelay>PT9999S</PropagationDelay>
|           <DS>
|               <TTL>PT3600S</TTL>
|           </DS>
|           <SOA>
|               <TTL>PT172800S</TTL>
|               <Minimum>PT10800S</Minimum>
|           </SOA>
|       </Parent>

Hmm, DS 3600 seconds versus 86400? Should I set it to PT172800S?

Must I just add an additional <NS>...</NS> section?
Shall I ignore those differences?
I cannot find 86400 in my kasp.xml anywhere?

I would very much appreciate some input/help from more experienced users of OpenDNSSEC than I am.

Thanks in advance and with kind regards,
Michael

P.S. If it is needed: I am running a hidden NSD master --> OpenDNSSEC signer --> 2 NSD slaves in FreeBSD service jails, and UNBOUND as recursive resolvers

More information about the Opendnssec-user mailing list