into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
- would take precedence. Setting the default TTL to
- <literal>0</literal> or <literal>none</literal> removes it.
+ would take precedence. If this value is not set and there
+ is no existing DNSKEY RRset, the TTL will default to the
+ SOA TTL. Setting the default TTL to <literal>0</literal>
+ or <literal>none</literal> is the same as leaving it unset.
</para>
</listitem>
</varlistentry>
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
- would take precedence. Setting the default TTL to
- <literal>0</literal> or <literal>none</literal> removes it.
+ would take precedence. If this value is not set and there
+ is no existing DNSKEY RRset, the TTL will default to the
+ SOA TTL. Setting the default TTL to <literal>0</literal>
+ or <literal>none</literal> removes it from the key.
</para>
</listitem>
</varlistentry>
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec.xml,v 1.7 2011/10/13 23:47:10 tbox Exp $ -->
-
<sect1 id="dnssec.dynamic.zones">
<title>DNSSEC, Dynamic Zones, and Automatic Signing</title>
<para>As of BIND 9.7.0 it is possible to change a dynamic zone
key changes, however.)
</para>
<para>
+ When new keys are added to a zone, the TTL is set to match that
+ of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
+ then the TTL will be set to the TTL specified when the key was
+ created (using the <command>dnssec-keygen -L</command> option), if
+ any, or to the SOA TTL.
+ </para>
+ <para>
If you wish the zone to be signed using NSEC3 instead of NSEC,
submit an NSEC3PARAM record via dynamic update prior to the
scheduled publication and activation of the keys. If you wish the
projects / thirdparty / bind9.git / commitdiff
