[Opendnssec-user] TTL for the record set to 86400

Berry A.W. van Halderen berry at nlnetlabs.nl
Tue Oct 10 12:58:50 UTC 2017

On 10/10/2017 02:35 PM, Mathieu Arnold wrote:
> Using OpenDNSSEC 1.4.14 (migrating to 2.1 on the todo list).
> Today, in preparation for a migration, I downed TTLs in a few zones, and
> by chance, while looking for something else, I found in the logs that
> all the TTL I downed to 10 minutes (from 1 day) were being ignored with:
> Oct 10 14:23:57 ns1 ods-signerd: In zone file prepacolles.fr: TTL for
> the record 'mail.prepacolles.fr. 600 IN A' set to 86400
> I looked in the signer's source, I can't seem to find where and why it
> is doing that, or where to disable it.

That would be the code (in signer/src/signer/zone.c:zone_add_rr()) that
makes sure all records in a record set (i.e. all "A" records for
mail.prepacolles.fr) have the same TTL value.

Often overlooked is when you have a default TTL value in place, where
one of the records does not have a TTL value (and thus uses the default)
and the other has a TTL value specified.  In case you change one, you
should change both, or not use a default value.

For DNSSEC it is required to have all records use a single TTL value.


More information about the Opendnssec-user mailing list