On 16:48 10/01, Danilo Godec via bind-users wrote: > Hello, > > > today I implemented DNSSEC for a domain - by that I mean that the DS records > have been published / added to TLD DNS today, while the zone has been signed > a couple of days ago. > > > So a couple of hours later I went to https://dnsviz.net to see if everything > seems OK and it reports one error and a couple of warnings. The error is: > > > RRSIG sid.si/NSEC3PARAM alg 13, id 48018: The TTL of the RRset (3600) exceeds > the value of the Original TTL field of the RRSIG RR covering it (0). > > > But if I use /dig/ for, I get this: > > ;; ANSWER SECTION: > sid.si. 3600 IN NSEC3PARAM 1 0 10 - > sid.si. 3600 IN RRSIG NSEC3PARAM 13 2 0 > 20220205091303 20220106091303 48018 sid.si. > WVstsjBLSQNS+PaKbR3LAAALG7tlV+cuzLYUKgWDXKrFnxe+dxx5Tmsa > pYIrabwi/sANBgEBMHtW1Z3NS7hRow== > > > Both records show TTL 3600 - which should be OK, I think? Where does > dnsviz.net get that TTL 0? >
That TTL is inside the rdata for the RRSIG. It says "... NSEC3PARAM 13 2 *0* ...". That 0 is the "original TTL" for the record. So currently there's an inconsistency between the 3600 declared in the TTL of the rrset, and the "original TTL" in the RRSIG. Hugo
signature.asc
Description: PGP signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users