I'm using 9.7.0-P2 to test with dynamic updates via nsupdate along with
setting up dnssec. So far my tests are working well with dynamic updates
and validation of the dnssec records, but I have a question on how the
TTL is set for the NSEC and RRSIG NSEC records.
As a test, when I do the following update:
nsupdate
> ttl 7200
> update add ldap5.example.com CNAME ldap.example.com
> send
I then see the following set of entries via named-journalprint with the
respective TTLs.
add ldap5.example.com. 7200 IN CNAME ldap.example.com.
add ldap5.example.com. 7200 IN RRSIG CNAME 5 3 7200 ...
add ldap5.example.com. 86400 IN RRSIG NSEC 5 3 86400 ...
add ldap4.example.com. 86400 IN RRSIG NSEC 5 3 86400 ...
add ldap4.example.com. 86400 IN NSEC ldap5.example.com. CNAME
RRSIG NSEC
add ldap5.example.com. 86400 IN NSEC ldp.example.com. CNAME
RRSIG NSEC
It would appear that the NSEC and RRSIG NSEC TTLs are set to my
example.com zone's minimum TTL which is 86400 instead of inheriting the
TTL I set of 7200.
Is this the expected behavior? I guess I was hoping that since nsupdate
was auto creating the NSEC and RRSIG NSEC records for me, that it would
inherit the "ttl 7200" value.
Regards,
-Eric
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
