With the deprecation of "max-zone-ttl" coming soon, noting comments about it being moved to the dnssec-policy statements, how can we stop an upstream zone from accepting a dynamic update with a TTL out of range?
Basic situation: - Primary zone server, no DNSSEC policies - Primary signing server, inline-signing with DNSSEC policies - Primary/Secondary distribution server, no DNSSEC policies Whilst the "max-zone-ttl" will be valid in the dnssec-policy present on the signing server, it doesn't stop the possibility of an out-of-range TTL being introduced in the primary zone server initially, which I believe will be too late to make any intelligent decisions. Is the idea to create a do-nothing dnssec policy to have some method of enforcement? Thoughts? Stuart -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
