On 10/10/2017 02:35 PM, Mathieu Arnold wrote: > Using OpenDNSSEC 1.4.14 (migrating to 2.1 on the todo list). > > Today, in preparation for a migration, I downed TTLs in a few zones, and > by chance, while looking for something else, I found in the logs that > all the TTL I downed to 10 minutes (from 1 day) were being ignored with: > > > Oct 10 14:23:57 ns1 ods-signerd: In zone file prepacolles.fr: TTL for > the record 'mail.prepacolles.fr. 600 IN A 79.143.244.130' set to 86400 > > > I looked in the signer's source, I can't seem to find where and why it > is doing that, or where to disable it. >
That would be the code (in signer/src/signer/zone.c:zone_add_rr()) that makes sure all records in a record set (i.e. all "A" records for mail.prepacolles.fr) have the same TTL value. Often overlooked is when you have a default TTL value in place, where one of the records does not have a TTL value (and thus uses the default) and the other has a TTL value specified. In case you change one, you should change both, or not use a default value. For DNSSEC it is required to have all records use a single TTL value. \Berry _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
