Hi list
Testing dnssec-policy with BIND-9.16.21:
I'd like to better understand the "max-zone-ttl"-directive.
So I defined "max-zone-ttl 3600s;" within the dnssec-policy-options, but
when I configure the default zone TTL or even a ressource record TTL
higher than the "max-zone-ttl" (for example to 7200s), then it's not
capped, as described in the documentation.
Look here:
- Within the dnssec-policy, I've defined "max-zone-ttl 3600;"
- The RR "www.example.com." has a TTL of 7200
- The server returns a TTL of 7200
$ dig @192.168.1.10 www.example.com +dnssec +multi
...
...
;; ANSWER SECTION:
www.example.com. 7200 IN A 127.0.0.1
www.example.com. 7200 IN RRSIG A 13 3 7200 (
20211002202425 20210920143830 42786 example.com.
3cprtWPAOwEuUvaiV5DKYWxhJHrdU6FL7Jk2+aNavOao
lTzQMKev2OF6TqPhXXfaHANIz+tiVhZaeaDCDagkSA== )
...
...
What do I misunderstand here?
Many thanks for a hint.
Kind regards,
Tom
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
