In message <4c1a7319.3010...@usc.edu>, Eric Ham writes: > I'm using 9.7.0-P2 to test with dynamic updates via nsupdate along with > setting up dnssec. So far my tests are working well with dynamic updates > and validation of the dnssec records, but I have a question on how the > TTL is set for the NSEC and RRSIG NSEC records. > > As a test, when I do the following update: > > nsupdate > > ttl 7200 > > update add ldap5.example.com CNAME ldap.example.com > > send > > I then see the following set of entries via named-journalprint with the > respective TTLs. > > add ldap5.example.com. 7200 IN CNAME ldap.example.com. > add ldap5.example.com. 7200 IN RRSIG CNAME 5 3 7200 ... > add ldap5.example.com. 86400 IN RRSIG NSEC 5 3 86400 ... > add ldap4.example.com. 86400 IN RRSIG NSEC 5 3 86400 ... > add ldap4.example.com. 86400 IN NSEC ldap5.example.com. CNAME > RRSIG NSEC > add ldap5.example.com. 86400 IN NSEC ldp.example.com. CNAME > RRSIG NSEC > > It would appear that the NSEC and RRSIG NSEC TTLs are set to my > example.com zone's minimum TTL which is 86400 instead of inheriting the > TTL I set of 7200. > > Is this the expected behavior? I guess I was hoping that since nsupdate > was auto creating the NSEC and RRSIG NSEC records for me, that it would > inherit the "ttl 7200" value.
Yes. Negative response TTL is set from the SOA minimum field (RFC 2308). NSEC and NSEC3 records prove negative responses. > Regards, > -Eric > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
