upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 09:09:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Change default TTLsig to one week

Browse source 
Commit dc6dafdad1 allows larger TTL values
in zones that go insecure, and ignores the maximum zone TTL.

This means that if you use TTL values larger than 1 day in your zone,
your zone runs the risk of going bogus before it moves safely to
insecure.

Most resolvers by default cap the maximum TTL that they cache RRsets,
at one day (Unbound, Knot, PowerDNS) so that is fine. However, BIND 9's
default is one week.

Change the default TTLsig to one week, so that also for BIND 9
resolvers in the default cases responses for zones that are going
insecure will not be evaluated as bogus.

This change does mean that when unsigning your zone, it will take six
days longer to safely go insecure, regardless of what TTL values you
use in the zone.

(cherry picked from commit 32686beabc)
This commit is contained in:
Matthijs Mekking 2023-08-02 11:16:50 +02:00
parent 668e1f613f
commit dab43f84dd
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/dns/kasp.c
View file

@ -28,7 +28,7 @@
#include <dns/log.h>
/* Default TTLsig (maximum zone ttl) */
#define DEFAULT_TTLSIG 86400
#define DEFAULT_TTLSIG 604800 /* one week */
isc_result_t
dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {