I'm stumped. I have a zone which had a default $TTL of 86400 and I want to
reduce it to 3600. This is normally not a problem, but the TTL of the DNSKEY
RRset won't budge from 86400.
What is the correct method to change a zone's DNSKEY TTL when it's already been
signed with inline-signing yes; auto-dnssec maintain; ?
zone "udp53.org." IN {
type primary;
file "udp53.org";
dnssec-dnskey-kskonly yes;
inline-signing yes;
auto-dnssec maintain;
update-policy {
grant local-ddns zonesub ANY;
};
};
I've tried changing the zone's default $TTL with a freeze/edit/thaw dance
followed by `rndc loadkeys' and `rndc sign', but that doesn't alter the zone's
DNSKEY TTL. I thought maybe $TTL would be the problem, so I set the SOA TTL
explicitly and redid the dance; no change.
Then I used `dnssec-settime -L ' to change the TTL in the .key file (and
verified the ttl was actually set there), but neither of `rndc sign zone',
`loadkeys', 'freeze/edit/thaw' cause the new TTL to be published in the DNSKEY
RR.
I've not found an issue in BIND gitlab, and none of the solutions in a 2016
thread by somebody who had the same problem seem sane. (One of the ideas by a
person who's name I won't mention I think suggested editing the signed zone
file ;)
I think the only way I'll be able to solve this is to stop the daemon, remove
the *.signed* files, and restart to have the signer kick off anew.
Is there something else I can try? I'm out of ideas.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
