Apologies, it appears that I sent this reply to Tom directly.
-------- Forwarded Message --------
Hi Tom,
That seems to be a copy paste error yes. Thanks for catching, will fix.
There is another max-zone-ttl option that is used to cap TTLs of records
added via dynamic updates.
Best regards,
Matthijs
On 21-09-2021 15:11, Tom wrote:
Hi Matthijs
Thank you for your explanation.
The documentation says, that "any record encountered with a TTL higher
than max-zone-ttl is capped at the maximum permissible TTL value".
Is the documentation wrong here?
Thank you.
Kind regards,
Tom
On 21.09.21 09:47, Matthijs Mekking wrote:
Hi Tom,
The max-zone-ttl is there to calculate the right timings for key
rollovers. It won't alter the zone TTL values.
You should set the max-zone-ttl to whatever the highest TTL is in your
zone to make sure key rollovers timings are correct.
This value exists until we have added code to the key manager that
will read the zone's contents and detect the maximum TTL automatically.
I hope this clarifies things.
Best regards,
Matthijs
On 20-09-2021 17:47, Tom wrote:
Hi list
Testing dnssec-policy with BIND-9.16.21:
I'd like to better understand the "max-zone-ttl"-directive.
So I defined "max-zone-ttl 3600s;" within the dnssec-policy-options,
but when I configure the default zone TTL or even a ressource record
TTL higher than the "max-zone-ttl" (for example to 7200s), then it's
not capped, as described in the documentation.
Look here:
- Within the dnssec-policy, I've defined "max-zone-ttl 3600;"
- The RR "www.example.com." has a TTL of 7200
- The server returns a TTL of 7200
$ dig @192.168.1.10 www.example.com +dnssec +multi
...
...
;; ANSWER SECTION:
www.example.com. 7200 IN A 127.0.0.1
www.example.com. 7200 IN RRSIG A 13 3 7200 (
20211002202425 20210920143830 42786 example.com.
3cprtWPAOwEuUvaiV5DKYWxhJHrdU6FL7Jk2+aNavOao
lTzQMKev2OF6TqPhXXfaHANIz+tiVhZaeaDCDagkSA== )
...
...
What do I misunderstand here?
Many thanks for a hint.
Kind regards,
Tom
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
