Edwardo Garcia <wdgar...@gmail.com> wrote: > > One question however it talk about longest TTL, does this mean also root > TLD zones (.com, .net) which from memory are 48 hours, so before we delete > old keys we need wait 48 hours, even though our zone TTL was 24 ?
When you are waiting after adding and signing with the new keys and before swapping the DS records, it's only the longest TTL in your own zone that matters. In my notes I call this the "child TTL" because the root and TLD etc. don't matter. https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html When you're waiting for the DS TTL it's only the TTL of that particular record that matters. (It's in the parent zone so I called it the parent TTL.) To be sure you are getting the right number you will need something like: dig +ttlunits example.com ds @$(dig +short com ns | head -1) i.e. pick one of the nameservers of the parent zone and ask it for your zone's DS record, so you don't get mislead by decremented cached TTLs. Note the DS TTL is often not the same as the parent NS or glue TTL. > Thank you, wow much much easy than I hoped for :-) I'm happy it helped! Tony. -- f.anthony.n.finch <d...@dotat.at> https://dotat.at/ Biscay: North, backing northwest later, 2 to 4, occasionally 5 later in east. Slight. Showers. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
