[Opendnssec-user] TTL for NS records at the parent should match the DS TTL

Yuri Schaeffer yuri at nlnetlabs.nl
Tue Feb 10 21:25:10 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

> Hmm, DS 3600 seconds versus 86400? Should I set it to PT172800S?
> 
> Must I just add an additional <NS>...</NS> section? Shall I ignore
> those differences? I cannot find 86400 in my kasp.xml anywhere?

I think I know what the confusion is about.

The DS/TTL is to inform OpenDNSSEC about how this record is published
at the parent. Rather than an instruction to publish it with TTL X.

It needs this information to get the timing right and it is important
in case you are rolling your KSK. So set it in the KASP to 86400 seconds.

As for the 4035 compliance issue. You must take this up with your
parent/registrar. Most likely you can fix it in their web interface.

Regards,
Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlTadzYACgkQI3PTR4mhavh1cwCdHPSENk2Vv76OI1nz47bK73sI
MWMAoMux3s+Nxn0xthzQoMXzy0GpZT2H
=09k3
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list