[Opendnssec-user] TTL for the record set to 86400
Berry A.W. van Halderen
berry at nlnetlabs.nl
Tue Oct 10 12:58:50 UTC 2017
On 10/10/2017 02:35 PM, Mathieu Arnold wrote:
> Using OpenDNSSEC 1.4.14 (migrating to 2.1 on the todo list).
>
> Today, in preparation for a migration, I downed TTLs in a few zones, and
> by chance, while looking for something else, I found in the logs that
> all the TTL I downed to 10 minutes (from 1 day) were being ignored with:
>
>
> Oct 10 14:23:57 ns1 ods-signerd: In zone file prepacolles.fr: TTL for
> the record 'mail.prepacolles.fr. 600 IN A 79.143.244.130' set to 86400
>
>
> I looked in the signer's source, I can't seem to find where and why it
> is doing that, or where to disable it.
>
That would be the code (in signer/src/signer/zone.c:zone_add_rr()) that
makes sure all records in a record set (i.e. all "A" records for
mail.prepacolles.fr) have the same TTL value.
Often overlooked is when you have a default TTL value in place, where
one of the records does not have a TTL value (and thus uses the default)
and the other has a TTL value specified. In case you change one, you
should change both, or not use a default value.
For DNSSEC it is required to have all records use a single TTL value.
\Berry
More information about the Opendnssec-user
mailing list