git.ipfire.org Git - thirdparty/bind9.git/commit

author	Matthijs Mekking <matthijs@isc.org>
	Wed, 2 Aug 2023 09:16:50 +0000 (11:16 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Wed, 2 Aug 2023 10:19:25 +0000 (12:19 +0200)
commit	dab43f84dd4f94b88a82dd086fbdcf6e5379362a
tree	0687e60ec37cc6d35e52a7a8345f7585c3b25116	tree \| snapshot
parent	668e1f613f937f06d7a7fa5ab8ac80b6b1883390	commit \| diff

Change default TTLsig to one week

Commit dc6dafdad1bce4c59bec0dbc355650c384cfc4d9 allows larger TTL values
in zones that go insecure, and ignores the maximum zone TTL.

This means that if you use TTL values larger than 1 day in your zone,
your zone runs the risk of going bogus before it moves safely to
insecure.

Most resolvers by default cap the maximum TTL that they cache RRsets,
at one day (Unbound, Knot, PowerDNS) so that is fine. However, BIND 9's
default is one week.

Change the default TTLsig to one week, so that also for BIND 9
resolvers in the default cases responses for zones that are going
insecure will not be evaluated as bogus.

This change does mean that when unsigning your zone, it will take six
days longer to safely go insecure, regardless of what TTL values you
use in the zone.

(cherry picked from commit 32686beabc55727fc56e6fd02953233bf0daa8bd)