Open jpmens opened 9 years ago
fyi: same problem is reported by dnssec-verify
:
Verifying the zone using the following algorithms: RSASHA256.
TTL mismatch for example.at NSEC3PARAM keytag 31653
Note that a 0 TTL will make caching for ANY queries suck.
Probably, and initially the problem occours due to Bind/OpenDNSSEC uses a TTL of 0. Nevertheless, changing the content of a pre-signed zone will cause validation errors.
Does it cause validation errors in actual validating resolvers?
OPENDNSSEC-330: NSEC3PARAM TTL should be set to zero.
OPENDNSSEC-330: NSEC3PARAM TTL can now be optionally configured in kasp.xml. Default value remains PT0S.
Does it cause validation errors in actual validating resolvers?
Resolvers/validators shouldn't fail on lowered TTL. That's how forwarding can work.
When PowerDNS 3.4.3 slaves a zone, it assigns a TTL to the NSEC3PARAM which is derived from the SOA minimum:
irrespective of the TTL of the master zone. For example, OpenDNSSEC assigns a TTL of 0 to NSEC3PARAM records as does BIND, even though RFC 5155 says
So, the signed zone in OpenDNSSEC has the following 0 TTL:
The change in TTL for the record causes zone validators such as validns to complain:
Is there any way we can specify a TTL of 0 for the NSEC3PARAM record?