[Opendnssec-user] TTL for the record set to 86400

Yuri Schaeffer yuri at nlnetlabs.nl
Tue Oct 10 19:50:59 UTC 2017


> Ok, but, then, as all records in the unsigned zone have 600 for their
> specific TTLs, and mail.prepacolles.fr only has one record, the A, why
> would the TTL 600 be dropped? (The zones go through named-compilezone to
> expand any BIND9 artefacts like $GENERATE and such.)

I believe this is a manifestation of bug OPENDNSSSEC-890. As Barry
explained the Signer should enforce the same TTL on all RRs within an
RRSET. Therefore it looks through all TTLs of the RRSET and decides what
the best value should be. This as all good and well but it erroneously
considered the TTLs of the just deleted records as well. This can make a
TTL sticky and explains your case.

The fix for this will be in the next OpenDNSSEC 2 release (for which a
date is not scheduled yet). As a workaround a full AXFR should resolve
the issue for now.

//Yuri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20171010/25ab4136/attachment.bin>


More information about the Opendnssec-user mailing list