I was hoping someone's experience could save me as I've spent too much time down this rabbit hole.
Primary nameserver is behind a cache/proxy on enterprise network such that all external traffic hits this. Zone went bogus. I blame policy but on further inspection 2/3 proxys had differing TTL between the DNSKEY and it's RRSIG. I dove into RFC but not yet the code. I believe any security aware system would throw out the DNSKEY with the RRSIG. I suspect that the signature hit the absolute time, got a fresh copy, and the DNSKEY stuck around another 2 days (1 week TTL). Now if the system wasn't security aware, I'm not sure how the TTL became unmatched but I can see that it could happen. I guess? The questions - is this system broken? - can I work around it with creative policy / TTL - can explain other cases these can get unmatched TTL? A low TTL would minimize it but appliance doesn't allow direct configuration for DNSKEY TTL. Thanks for your input Scott -
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users